Data access control system for object storage service based on owner-defined code

ABSTRACT

Systems and methods are described for modifying input and output (I/O) to an object storage service by implementing one or more owner-specified functions to I/O requests. A function can implement data access control, such as controlling which users are provided access to which portions of an object collection maintained by the object storage service. For example, data access control functions can be applied prior to implementing a request method (e.g., GET or PUT) specified within the I/O request, and may grant or deny access based on a variety of factors such as user identity, time window, prior access, keywords, geographical region, etc. In this manner, owners of the object collection are provided with greater control over how the object collection is accessed.

RELATED APPLICATIONS

The present application's Applicant is concurrently filing the followingU.S. patent applications on Sep. 27, 2019:

U.S. application Ser. No. TITLE 16/586,619 EXECUTION OF OWNER-SPECIFIEDCODE DURING INPUT/OUTPUT PATH TO OBJECT STORAGE SERVICE 16/586,704INSERTING OWNER-SPECIFIED DATA PROCESSING PIPELINES INTO INPUT/OUTPUTPATH OF OBJECT STORAGE SERVICE 16/586,673 INSERTING EXECUTIONS OFOWNER-SPECIFIED CODE INTO INPUT/OUTPUT PATH OF OBJECT STORAGE SERVICE16/586,580 ON-DEMAND EXECUTION OF OBJECT COMBINATION CODE IN OUTPUT PATHOF OBJECT STORAGE SERVICE 16/586,562 ON-DEMAND EXECUTION OF OBJECTTRANSFORMATION CODE IN OUTPUT PATH OF OBJECT STORAGE SERVICE 16/586,539ON-DEMAND EXECUTION OF OBJECT FILTER CODE IN OUTPUT PATH OF OBJECTSTORAGE SERVICE 16/586,825 ON-DEMAND CODE EXECUTION IN INPUT PATH OFDATA UPLOADED TO STORAGE SERVICE IN MULTIPLE DATA PORTIONS 16/586,816ON-DEMAND CODE OBFUSCATION OF DATA IN INPUT PATH OF OBJECT STORAGESERVICE 16/586,818 ON-DEMAND INDEXING OF DATA IN INPUT PATH OF OBJECTSTORAGE SERVICE 16/586,659 USER-SPECIFIC DATA MANIPULATION SYSTEM FOROBJECT STORAGE SERVICE BASED ON USER-SUBMITTED CODE 16/586,686 CODEEXECUTION ENVIRONMENT CUSTOMIZATION SYSTEM FOR OBJECT STORAGE SERVICE16/586,626 EXECUTION OF USER-SUBMITTED CODE ON A STREAM OF DATA16/586,694 SEQUENTIAL EXECUTION OF USER-SUBMITTED CODE AND NATIVEFUNCTIONS

The disclosures of the above-referenced applications are herebyincorporated by reference in their entirety.

BACKGROUND

Computing devices can utilize communication networks to exchange data.Companies and organizations operate computer networks that interconnecta number of computing devices to support operations or to provideservices to third parties. The computing systems can be located in asingle geographic location or located in multiple, distinct geographiclocations (e.g., interconnected via private or public communicationnetworks). Specifically, data centers or data processing centers, hereingenerally referred to as a “data center,” may include a number ofinterconnected computing systems to provide computing resources to usersof the data center. The data centers may be private data centersoperated on behalf of an organization or public data centers operated onbehalf, or for the benefit of, the general public.

To facilitate increased utilization of data center resources,virtualization technologies allow a single physical computing device tohost one or more instances of virtual machines that appear and operateas independent computing devices to users of a data center. Withvirtualization, the single physical computing device can create,maintain, delete, or otherwise manage virtual machines in a dynamicmanner. In turn, users can request computer resources from a datacenter, including single computing devices or a configuration ofnetworked computing devices, and be provided with varying numbers ofvirtual machine resources.

In addition to computational resources, data centers provide a number ofbeneficial other services to client devices. For example, data centersmay provide data storage services configured to store data submitted byclient devices, and enabling retrieval of that data over a network. Avariety of types of data storage services can be provided, often varyingaccording to their input/output (I/O) mechanisms. For example, databaseservices may allow I/O based on a database query language, such as theStructured Query Language (SQL). Block storage services may allow I/Obased on modification to one or more defined-length blocks, in a mannersimilar to how an operating system interacts with local storage, and maythus facilitate virtualized disk drives usable, for example, to store anoperating system of a virtual machine. Object storage services may allowI/O at the level of individual objects or resources, such as individualfiles, which may vary in content and length. For example, an objectstorage service may provide an interface compliant with theRepresentational State Transfer (REST) architectural style, such as byallowing I/O based on calls designating input data and a hypertexttransport protocol request methods (e.g., GET, PUT, POST, DELETE, etc.)to be applied to that data. By transmitting a call designating inputdata and a request method, a client can thus retrieve the data from anobject storage service, write the data to the object storage service asa new object, modify an existing object, etc.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram depicting an illustrative environment in whichan object storage service can operate in conjunction with an on-demandcode execution system to implement functions in connection withinput/output (I/O) requests to the object storage service;

FIG. 2 depicts a general architecture of a computing device providing afrontend of the object storage service of FIG. 1;

FIG. 3 is a flow diagram depicting illustrative interactions forenabling a client device to modify an I/O path for the object storageservice by insertion of a function implemented by execution of a task onthe on-demand code execution system;

FIG. 4 is an illustrative visualization of a pipeline of functions to beapplied to an I/O path for the object storage service of FIG. 1;

FIGS. 5A-5B show a flow diagram depicting illustrative interactions forhandling a request to store input data as an object on the objectstorage service of FIG. 1, including execution of an owner-specifiedtask to the input data and storage of output of the task as the object;

FIGS. 6A-6B show a flow diagram depicting illustrative interactions forhandling a request to retrieve data of an object on the object storageservice of FIG. 1, including execution of an owner-specified task to theobject and transmission of an output of the task to a requesting deviceas the object;

FIG. 7 is a flow chart depicting an illustrative routine forimplementing owner-defined functions in connection with an I/O requestobtained at the object storage service of FIG. 1 over an I/O path;

FIG. 8 is a flow chart depicting an illustrative routine for executing atask on the on-demand code execution system of FIG. 1 to enable datamanipulations during implementation of an owner-defined function;

FIG. 9 shows a flow diagram depicting illustrative interactions forenabling a client device to modify an I/O path for the object storageservice of FIG. 1 to include execution of user-submitted data accesscontrol code;

FIGS. 10A-10B show a flow diagram depicting illustrative interactionsfor handling a request to retrieve data of an object on the objectstorage service of FIG. 1, including execution of an owner-specifieddata access control code to provide client-specific data access;

FIG. 11 is a flow chart depicting an illustrative routine for handling arequest to retrieve data of an object on the object storage service ofFIG. 1 using the data access control code provided by the client;

FIG. 12 is a flow chart depicting an illustrative routine forimplementing access-level-based data manipulation in connection with anI/O request obtained at the object storage service of FIG. 1;

FIG. 13 shows a flow diagram depicting illustrative interactions forallowing user-specification of code execution environment rules andexecuting owner-submitted code according to the code executionenvironment rules; and

FIG. 14 is a flow chart depicting an illustrative routine forimplementing user code execution customization in connection with an I/Orequest obtained at the object storage service of FIG. 1.

DETAILED DESCRIPTION

Generally described, aspects of the present disclosure relate tohandling requests to read or write to data objects on an object storagesystem. More specifically, aspects of the present disclosure relate tomodification of an input/output (I/O) path for an object storageservice, such that one or more data manipulations can be inserted intothe I/O path to modify the data to which a called request method isapplied, without requiring a calling client device to specify such datamanipulations. In one embodiment, data manipulations occur throughexecution of user-submitted code, which may be provided for example byan owner of a collection of data objects on an object storage system inorder to control interactions with that data object. For example, incases where an owner of an object collection wishes to ensure that endusers do not submit objects to the collection including any personallyidentifying information (to ensure end user's privacy), the owner maysubmit code executable to strip such information from a data input. Theowner may further specify that such code should be executed during eachwrite of a data object to the collection. Accordingly, when an end userattempts to write input data to the collection as a data object (e.g.,via an HTTP PUT method), the code may be first executed against theinput data, and resulting output data may be written to the collectionas the data object. Notably, this may result in the operation requestedby the end user—such as a write operation—being applied not to the enduser's input data, but instead to the data output by the datamanipulation (e.g., owner-submitted) code. In this way, owners of datacollections control I/O to those collections without relying on endusers to comply with owner requirements. Indeed, end users (or any otherclient device) may be unaware that modifications to I/O are occurring.As such, embodiments of the present disclosure enable modification ofI/O to an object storage service without modification of an interface tothe service, ensuring inter-compatibility with other pre-existingsoftware utilizing the service.

In some embodiments of the present disclosure, data manipulations mayoccur on an on-demand code execution system, sometimes referred to as aserverless execution system. Generally described, on-demand codeexecution systems enable execution of arbitrary user-designated code,without requiring the user to create, maintain, or configure anexecution environment (e.g., a physical or virtual machine) in which thecode is executed. For example, whereas conventional computing servicesoften require a user to provision a specific device (virtual orphysical), install an operating system on the device, configureapplication, define network interfaces, and the like, an on-demand codeexecution system may enable a user to submit code and may provide to theuser an application programming interface (API) that, when used, enablesthe user to request execution of the code. On receiving a call throughthe API, the on-demand code execution system may generate an executionenvironment for the code, provision the environment with the code,execute the code, and provide a result. Thus, an on-demand codeexecution system can remove a need for a user to handle configurationand management of environments for code execution. Example techniquesfor implementing an on-demand code execution system are disclosed, forexample, within U.S. Pat. No. 9,323,556, entitled “PROGRAMMATIC EVENTDETECTION AND MESSAGE GENERATION FOR REQUESTS TO EXECUTE PROGRAM CODE,”and filed Sep. 30, 2014 (the “'556 patent”), the entirety of which ishereby incorporated by reference.

Due to the flexibility of on-demand code execution system to executearbitrary code, such a system can be used to create a variety of networkservices. For example, such a system could be used to create a“micro-service,” a network service that implements a small number offunctions (or only one function), and that interacts with other servicesto provide an application. In the context of on-demand code executionsystems, the code executed to create such a service is often referred toas a “function” or a “task,” which can be executed to implement theservice. Accordingly, one technique for performing data manipulationswithin the I/O path of an object storage service may be to create a taskon an on-demand code execution system that, when executed, performs therequired data manipulation. Illustratively, the task could provide aninterface similar or identical to that of the object storage service,and be operable to obtain input data in response to a request methodcall (e.g., HTTP PUT or GET calls), execute the code of the task againstthe input data, and perform a call to the object storage service forimplementation of the request method on resulting output data. Adownside of this technique is a complexity. For example, end users mightbe required under this scenario to submit I/O requests to the on-demandcode execution system, rather than the object storage service, to ensureexecution of the task. Should an end user submit a call directly to theobject storage service, task execution may not occur, and thus an ownerwould not be enabled to enforce a desired data manipulation for anobject collection. In addition, this technique may require that code ofa task be authored to both provide an interface to end users thatenables handling of calls to implement request methods on input data,and an interface that enables performance of calls from the taskexecution to the object storage service. Implementation of these networkinterfaces may significantly increase the complexity of the requiredcode, thus disincentivizing owners of data collections from using thistechnique. Moreover, where user-submitted code directly implementsnetwork communication, that code may need to be varied according to therequest method handled. For example, a first set of code may be requiredto support GET operations, a second set of code may be required tosupport PUT operations, etc. Because embodiments of the presentdisclosure relieve the user-submitted code of the requirement ofhandling network communications, one set of code may in some cases beenabled to handle multiple request methods.

To address the above-noted problems, embodiments of the presentdisclosure can enable strong integration of serverless task executionswith interfaces of an object storage service, such that the serviceitself is configured to invoke a task execution on receiving an I/Orequest to a data collection. Moreover, generation of code to performdata manipulations may be simplified by configuring the object storageservice to facilitate data input and output from a task execution,without requiring the task execution to itself implement networkcommunications for I/O operations. Specifically, an object storageservice and on-demand code execution system can be configured in oneembodiment to “stage” input data to a task execution in the form of ahandle (e.g., a POSIX-compliant descriptor) to an operating-system-levelinput/output stream, such that code of a task can manipulate the inputdata via defined-stream operations (e.g., as if the data existed withina local file system). This stream-level access to input data can becontrasted, for example, with network-level access of input data, whichgenerally requires that code implement network communication to retrievethe input data. Similarly, the object storage service and on-demand codeexecution system can be configured to provide an output stream handlerepresenting an output stream to which a task execution may writeoutput. On detecting writes to the output stream, the object storageservice and on-demand code execution system may handle such writes asoutput data of the task execution, and apply a called request method tothe output data. By enabling a task to manipulate data based on inputand output streams passed to the task, as opposed to requiring the codeto handle data communications over a network, the code of the task canbe greatly simplified.

Another benefit of enabling a task to manipulate data based on input andoutput handles is increased security. A general-use on-demand codeexecution system may operate permissively with respect to networkcommunications from a task execution, enabling any network communicationfrom the execution unless such communication is explicitly denied. Thispermissive model is reflective of the use of task executions asmicro-services, which often require interaction with a variety of othernetwork services. However, this permissive model also decreases securityof the function, since potentially malicious network communications canalso reach the execution. In contrast to a permissive model, taskexecutions used to perform data manipulations on an object storagesystem's I/O path can utilize a restrictive model, whereby onlyexplicitly-allowed network communications can occur from an environmentexecuting a task. Illustratively, because data manipulation can occurvia input and output handles, it is envisioned that many or most tasksused to perform data manipulation in embodiments of the presentdisclosure would require no network communications to occur at all,greatly increasing security of such an execution. Where a task executiondoes require some network communications, such as to contact an externalservice to assist with a data manipulation, such communications can beexplicitly allowed, or “whitelisted,” thus exposing the execution inonly a strictly limited manner.

In some embodiments, a data collection owner may require only a singledata manipulation to occur with respect to I/O to the collection.Accordingly, the object storage service may detect I/O to thecollection, implement the data manipulation (e.g., by executing aserverless task within an environment provisioned with input and outputhandles), and apply the called request method to the resulting outputdata. In other embodiments, an owner may request multiple datamanipulations occur with respect to an I/O path. For example, toincrease portability and reusability, an owner may author multipleserverless tasks, which may be combined in different manners ondifferent I/O paths. Thus, for each path, the owner may define a seriesof serverless tasks to be executed on I/O to the path. Moreover, in someconfigurations, an object storage system may natively provide one ormore data manipulations. For example, an object storage system maynatively accept requests for only portions of an object (e.g., of adefined byte range), or may natively enable execution of queries againstdata of an object (e.g., SQL queries). In some embodiments, anycombination of various native manipulations and serverless task-basedmanipulations may be specified for a given I/O path. For example, anowner may specify that, for a particular request to read an object, agiven SQL query be executed against the object, the output of which isprocessed via a first task execution, the output of which is processedvia a second task execution, etc. The collection of data manipulations(e.g., native manipulations, serverless task-based manipulations, or acombination thereof) applied to an I/O path is generally referred toherein as a data processing “pipeline” applied to the I/O path.

In accordance with aspects of the present disclosure, a particular pathmodification (e.g., the addition of a pipeline) applied to an I/O pathmay vary according to attributes of the path, such as a client devicefrom which an I/O request originates or an object or collection ofobjects within the request. For example, pipelines may be applied toindividual objects, such that the pipeline is applied to all I/Orequests for the object, or a pipeline may be selectively applied onlywhen certain client devices access the object. In some instances, anobject storage service may provide multiple I/O paths for an object orcollection. For example, the same object or collection may be associatedwith multiple resource identifiers on the object storage service, suchthat the object or collection can be accessed through the multipleidentifiers (e.g., uniform resource identifiers, or URIs), whichillustratively correspond to different network-accessible endpoints. Inone embodiment, different pipelines may be applied to each I/O path fora given object. For example, a first I/O path may be associated withunprivileged access to a data set, and thus be subject to datamanipulations that remove confidential information from the data setprior during retrieval. A second I/O path may be associated withprivileged access, and thus not be subject to those data manipulations.In some instances, pipelines may be selectively applied based on othercriteria. For example, whether a pipeline is applied may be based ontime of day, a number or rate of accesses to an object or collection,etc.

Another limitation of existing object storage services is the inabilityto dynamically control access to the data provided by the object storageservices. While such object storage services may provide a way for thedata owner/provider to configure user-specific permissions andcredentials (e.g., within the object storage services or with anexternal token broker that facilitates data access control) such thatdifferent users have access to different portions (e.g., directors,sub-directories, paths, buckets, volumes, containers, etc.) of the data,such configurations are typically done manually, and having to changethe configurations every time user access rights need to be modifiedwould be very burdensome to the owner/provider of the data. Also, sincestatic permissions and credentials often only rely on the identity ofthe user accessing the data, it may not be possible or feasible toimplement other methods of determining access such as providing accessbased on a time window, prior access, keywords, and the like.

In accordance with aspects of the present disclosure, data accesscontrol code may be written by the data owner/provider and placed in theI/O path such that when a request to access the data is received (e.g.,via a GET call), the data access control code can be executed andprovide a more robust user-specific access to the data. For example, thedata access control code may provide access based on a time window(e.g., for a user who has signed up for a 7-day access to the datamaintained by the object storage service, access may be denied after 7days), provide access based on prior access by the same user (e.g., fora user whose access is set to expire after accessing the data 5 times,access may be denied after the user accesses the data 5 times), provideaccess based on keywords (e.g., for a user who is allowed to access theportion of the data that relates to “automobiles,” access requests thatdo not specify the keyword “automobiles” may be denied), and the like.Thus, the techniques of the present disclosure allow the dataowner/provider to be able to provide dynamically controlled access tothe data maintained by the object storage service.

Similarly, existing object storage services may not provide the abilityfor the data owner/provider to specify different types of datamanipulations to be performed for different access requests. Forexample, existing object storage services may allow the dataowner/provider to specify that User A is allowed to access Data BucketsX and Y and User B is allowed to access Data Bucket X but not DataBucket Y. However, such binary permission settings (e.g., a user eitherhas access to a data object or does not have access to the data object)may not allow the data owner/provider to specify more complex permissioninformation such as that User A is (i) given full access to Data BucketX in its entirety without modification and (ii) given preview access toData Bucket Y such that User A can only access the first page of eachdocument in Data Bucket Y, and that User B is (i) not allowed to accessany data in Data Bucket X and (ii) is given archival access to DataBucket Y such that User B can only access data in Bucket Y that are morethan 1 year old.

In accordance with aspects of the present disclosure, data accesscontrol code may be combined (e.g., executed in series or combined intothe same code) with one or more data manipulation codes to provide thedata owner/provider with the ability to performuser-access-level-specific data manipulations (e.g., data removal,modification, redaction, processing, etc.). For example, when an I/Orequest is received (e.g., via a GET call or a PUT call), the dataaccess control code in the I/O path may be executed, and either providefull access to the requested data, cause additional user code to beexecuted (e.g., data manipulation code), or deny the request based onthe user's access level. Advantageously, the techniques of the presentdisclosure not only allow the data owner/provider to specifyuser-specific permissions but also allow the data owner/provider tocause user-specific modification, filtering, or processing to beperformed prior to returning the requested data to the requesting user.Thus, these techniques allow the data owner/provider to be able tospecify user-specific and access-level-specific manipulations of thedata maintained by the object storage service.

Additionally, existing object storage services, due to the lack ofintegration with an external serverless code execution system asdiscussed above, may not provide a mechanism for the data owner/providerto control the execution environment of the various code (e.g.,owner-submitted) executions performed in connection with the provisionof the services provided by the object storage service. Without theability to customize the execution environment for these codeexecutions, such existing object storage services may be limited tohaving the same execution environment for all users and for all usercodes.

In accordance with aspects of the present disclosure, the object storageservice can allow a data owner/provider to customize the code executionenvironment by specifying code execution environment rules. Such codeexecution environment rules may indicate the identity of one or moreowner-submitted codes that have been placed in the I/O request path andthe corresponding privileges given to (or restrictions placed on) theexecution of the one or more owner-submitted codes. For example, thecode execution environment rules can specify that a data access controlcode should have access to an external database that contains sensitiveuser authorization information, whereas a data manipulation codeconfigured to be executed after the data access control code grantsaccess should not have access to such an external database that containssensitive user authorization information. Similarly, such code executionenvironment rules may indicate the identity of one or more dataowners/providers (e.g., a user who has stored certain data object on theservice 160 and made the data object accessible by other users) orrequesting users (e.g., users who requests to read or write to the dataobjects stored by the service 160) and the corresponding privilegesgiven to (or restrictions placed on) the execution of one or more codesassociated with the data owners/providers or requesting users. Forexample, for Users A and B, the code execution environment rules mayspecify that code executions performed on behalf of User A should haveaccess to User A's private resources (e.g., database services, loggingservices, storage services, or other network-accessible services thatmay be accessed using User A's credentials), whereas code executionsperformed on behalf of User B should not have access to externalresources or establish network connections with an external service(e.g., not allowed to access User B's private resources or otherexternal resources). In some cases, Users A and B are dataowners/providers in this example. In other cases, Users A and B arerequesting users who wish to read the data owner's data or write to thedata owner's storage on the service 160.

As will be appreciated by one of skill in the art in light of thepresent disclosure, the embodiments disclosed herein improve the abilityof computing systems, such as object storage systems, to provide andenforce data manipulation functions against data objects. Whereas priortechniques generally depend on external enforcement of data manipulationfunctions (e.g., requesting that users strip personal information beforeuploading it), embodiments of the present disclosure enable directinsertion of data manipulation into an I/O path for the object storagesystem. Moreover, embodiments of the present disclosure provide a securemechanism for implementing data manipulations, by providing forserverless execution of manipulation functions within an isolatedexecution environment. Embodiments of the present disclosure furtherimprove operation of serverless functions, by enabling such functions tooperate on the basis of local stream (e.g., “file”) handles, rather thanrequiring that functions act as network-accessible services. Thepresently disclosed embodiments therefore address technical problemsinherent within computing systems, such as the difficulty of enforcingdata manipulations at storage systems and the complexity of creatingexternal services to enforce such data manipulations. These technicalproblems are addressed by the various technical solutions describedherein, including the insertion of data processing pipelines into an I/Opath for an object or object collection, potentially without knowledgeof a requesting user, the use of serverless functions to perform aspectsof such pipelines, and the use of local stream handles to enablesimplified creation of serverless functions. Thus, the presentdisclosure represents an improvement on existing data processing systemsand computing systems in general.

The general execution of tasks on the on-demand code execution systemwill now be discussed. As described in detail herein, the on-demand codeexecution system may provide a network-accessible service enabling usersto submit or designate computer-executable source code to be executed byvirtual machine instances on the on-demand code execution system. Eachset of code on the on-demand code execution system may define a “task,”and implement specific functionality corresponding to that task whenexecuted on a virtual machine instance of the on-demand code executionsystem. Individual implementations of the task on the on-demand codeexecution system may be referred to as an “execution” of the task (or a“task execution”). In some cases, the on-demand code execution systemmay enable users to directly trigger execution of a task based on avariety of potential events, such as transmission of an applicationprogramming interface (“API”) call to the on-demand code executionsystem, or transmission of a specially formatted hypertext transportprotocol (“HTTP”) packet to the on-demand code execution system. Inaccordance with embodiments of the present disclosure, the on-demandcode execution system may further interact with an object storagesystem, in order to execute tasks during application of a datamanipulation pipeline to an I/O path. The on-demand code executionsystem can therefore execute any specified executable code “on-demand,”without requiring configuration or maintenance of the underlyinghardware or infrastructure on which the code is executed. Further, theon-demand code execution system may be configured to execute tasks in arapid manner (e.g., in under 100 milliseconds [ms]), thus enablingexecution of tasks in “real-time” (e.g., with little or no perceptibledelay to an end user). To enable this rapid execution, the on-demandcode execution system can include one or more virtual machine instancesthat are “pre-warmed” or pre-initialized (e.g., booted into an operatingsystem and executing a complete or substantially complete runtimeenvironment) and configured to enable execution of user-defined code,such that the code may be rapidly executed in response to a request toexecute the code, without delay caused by initializing the virtualmachine instance. Thus, when an execution of a task is triggered, thecode corresponding to that task can be executed within a pre-initializedvirtual machine in a very short amount of time.

Specifically, to execute tasks, the on-demand code execution systemdescribed herein may maintain a pool of executing virtual machineinstances that are ready for use as soon as a request to execute a taskis received. Due to the pre-initialized nature of these virtualmachines, delay (sometimes referred to as latency) associated withexecuting the task code (e.g., instance and language runtime startuptime) can be significantly reduced, often to sub-100 millisecond levels.Illustratively, the on-demand code execution system may maintain a poolof virtual machine instances on one or more physical computing devices,where each virtual machine instance has one or more software components(e.g., operating systems, language runtimes, libraries, etc.) loadedthereon. When the on-demand code execution system receives a request toexecute program code (a “task”), the on-demand code execution system mayselect a virtual machine instance for executing the program code of theuser based on the one or more computing constraints related to the task(e.g., a required operating system or runtime) and cause the task to beexecuted on the selected virtual machine instance. The tasks can beexecuted in isolated containers that are created on the virtual machineinstances, or may be executed within a virtual machine instance isolatedfrom other virtual machine instances acting as environments for othertasks. Since the virtual machine instances in the pool have already beenbooted and loaded with particular operating systems and languageruntimes by the time the requests are received, the delay associatedwith finding compute capacity that can handle the requests (e.g., byexecuting the user code in one or more containers created on the virtualmachine instances) can be significantly reduced.

As used herein, the term “virtual machine instance” is intended to referto an execution of software or other executable code that emulateshardware to provide an environment or platform on which software mayexecute (an example “execution environment”). Virtual machine instancesare generally executed by hardware devices, which may differ from thephysical hardware emulated by the virtual machine instance. For example,a virtual machine may emulate a first type of processor and memory whilebeing executed on a second type of processor and memory. Thus, virtualmachines can be utilized to execute software intended for a firstexecution environment (e.g., a first operating system) on a physicaldevice that is executing a second execution environment (e.g., a secondoperating system). In some instances, hardware emulated by a virtualmachine instance may be the same or similar to hardware of an underlyingdevice. For example, a device with a first type of processor mayimplement a plurality of virtual machine instances, each emulating aninstance of that first type of processor. Thus, virtual machineinstances can be used to divide a device into a number of logicalsub-devices (each referred to as a “virtual machine instance”). Whilevirtual machine instances can generally provide a level of abstractionaway from the hardware of an underlying physical device, thisabstraction is not required. For example, assume a device implements aplurality of virtual machine instances, each of which emulate hardwareidentical to that provided by the device. Under such a scenario, eachvirtual machine instance may allow a software application to executecode on the underlying hardware without translation, while maintaining alogical separation between software applications running on othervirtual machine instances. This process, which is generally referred toas “native execution,” may be utilized to increase the speed orperformance of virtual machine instances. Other techniques that allowdirect utilization of underlying hardware, such as hardware pass-throughtechniques, may be used, as well.

While a virtual machine executing an operating system is describedherein as one example of an execution environment, other executionenvironments are also possible. For example, tasks or other processesmay be executed within a software “container,” which provides a runtimeenvironment without itself providing virtualization of hardware.Containers may be implemented within virtual machines to provideadditional security, or may be run outside of a virtual machineinstance.

The foregoing aspects and many of the attendant advantages of thisdisclosure will become more readily appreciated as the same becomebetter understood by reference to the following description, when takenin conjunction with the accompanying drawings.

FIG. 1 is a block diagram of an illustrative operating environment 100in which a service provider system 110 operates to enable client devices102 to perform I/O operations on objects stored within an object storageservice 160 and to apply path modifications to such I/O operations,which modifications may include execution of user-defined code on anon-demand code execution system 120.

By way of illustration, various example client devices 102 are shown incommunication with the service provider system 110, including a desktopcomputer, laptop, and a mobile phone. In general, the client devices 102can be any computing device such as a desktop, laptop or tabletcomputer, personal computer, wearable computer, server, personal digitalassistant (PDA), hybrid PDA/mobile phone, mobile phone, electronic bookreader, set-top box, voice command device, camera, digital media player,and the like.

Generally described, the object storage service 160 can operate toenable clients to read, write, modify, and delete data objects, each ofwhich represents a set of data associated with an identifier (an “objectidentifier” or “resource identifier”) that can be interacted with as anindividual resource. For example, an object may represent a single filesubmitted by a client device 102 (though the object storage service 160may or may not store such an object as a single file). This object-levelinteraction can be contrasted with other types of storage services, suchas block-based storage services providing data manipulation at the levelof individual blocks or database storage services providing datamanipulation at the level of tables (or parts thereof) or the like.

The object storage service 160 illustratively includes one or morefrontends 162, which provide an interface (a command-line interface(CLIs), application programing interface (APIs), or other programmaticinterface) through which client devices 102 can interface with theservice 160 to configure the service 160 on their behalf and to performI/O operations on the service 160. For example, a client device 102 mayinteract with a frontend 162 to create a collection of data objects onthe service 160 (e.g., a “bucket” of objects) and to configurepermissions for that collection. Client devices 102 may thereaftercreate, read, update, or delete objects within the collection based onthe interfaces of the frontends 162. In one embodiment, the frontend 162provides a REST-compliant HTTP interface supporting a variety of requestmethods, each of which corresponds to a requested I/O operation on theservice 160. By way of non-limiting example, request methods mayinclude:

-   -   a GET operation requesting retrieval of an object stored on the        service 160 by reference to an identifier of the object;    -   a PUT operation requesting storage of an object to be stored on        the service 160, including an identifier of the object and input        data to be stored as the object;    -   a DELETE operation requesting deletion of an object stored on        the service 160 by reference to an identifier of the object; and    -   a LIST operation requesting listing of objects within an object        collection stored on the service 160 by reference to an        identifier of the collection.        A variety of other operations may also be supported. For        example, the service 160 may provide a POST operation similar to        a PUT operation but associated with a different upload mechanism        (e.g., a browser-based HTML upload), or a HEAD operation        enabling retrieval of metadata for an object without retrieving        the object itself. In some embodiments, the service 160 may        enable operations that combine one or more of the above        operations, or combining an operation with a native data        manipulation. For example, the service 160 may provide a COPY        operation enabling copying of an object stored on the service        160 to another object, which operation combines a GET operation        with a PUT operation. As another example, the service 160 may        provide a SELECT operation enabling specification of an SQL        query to be applied to an object prior to returning the contents        of that object, which combines an application of an SQL query to        a data object (a native data manipulation) with a GET operation.        As yet another example, the service 160 may provide a “byte        range” GET, which enables a GET operation on only a portion of a        data object. In some instances, the operation requested by a        client device 102 on the service 160 may be transmitted to the        service via an HTTP request, which itself may include an HTTP        method. In some cases, such as in the case of a GET operation,        the HTTP method specified within the request may match the        operation requested at the service 160. However, in other cases,        the HTTP method of a request may not match the operation        requested at the service 160. For example, a request may utilize        an HTTP POST method to transmit a request to implement a SELECT        operation at the service 160.

During general operation, frontends 162 may be configured to obtain acall to a request method, and apply that request method to input datafor the method. For example, a frontend 162 can respond to a request toPUT input data into the service 160 as an object by storing that inputdata as the object on the service 160. Objects may be stored, forexample, on object data stores 168, which correspond to any persistentor substantially persistent storage (including hard disk drives (HDDs),solid state drives (SSDs), network accessible storage (NAS), storagearea networks (SANs), non-volatile random access memory (NVRAM), or anyof a variety of storage devices known in the art). As a further example,the frontend 162 can respond to a request to GET an object from theservice 160 by retrieving the object from the stores 168 (the objectrepresenting input data to the GET resource request), and returning theobject to a requesting client device 102.

In some cases, calls to a request method may invoke one or more nativedata manipulations provided by the service 160. For example, a SELECToperation may provide an SQL-formatted query to be applied to an object(also identified within the request), or a GET operation may provide aspecific range of bytes of an object to be returned. The service 160illustratively includes an object manipulation engine 170 configured toperform native data manipulations, which illustratively corresponds to adevice configured with software executable to implement native datamanipulations on the service 160 (e.g., by stripping non-selected bytesfrom an object for a byte-range GET, by applying an SQL query to anobject and returning results of the query, etc.).

In accordance with embodiments of the present disclosure, the service160 can further be configured to enable modification of an I/O path fora given object or collection of objects, such that a called requestmethod is applied to an output of a data manipulation function, ratherthan the resource identified within the call. For example, the service160 may enable a client device 102 to specify that GET operations for agiven object should be subject to execution of a user-defined task onthe on-demand code execution system 120, such that the data returned inresponse to the operation is the output of a task execution rather thanthe requested object. Similarly, the service 160 may enable a clientdevice 102 to specify that PUT operations to store a given object shouldbe subject to execution of a user-defined task on the on-demand codeexecution system 120, such that the data stored in response to theoperation is the output of a task execution rather than the dataprovided for storage by a client device 102. As will be discussed inmore detail below, path modifications may include specification of apipeline of data manipulations, including native data manipulations,task-based manipulations, or combinations thereof. Illustratively, aclient device 102 may specify a pipeline or other data manipulation foran object or object collection through the frontend 162, which may storea record of the pipeline or manipulation in the I/O path modificationdata store 164, which store 164, like the object data stores 168, canrepresent any persistent or substantially persistent storage. Whileshown as distinct in FIG. 1, in some instances the data stores 164 and168 may represent a single collection of data stores. For example, datamodifications to objects or collections may themselves be stored asobjects on the service 160.

To enable data manipulation via execution of user-defined code, thesystem further includes an on-demand code execution system 120. In oneembodiment, the system 120 is solely usable by the object storageservice 160 in connection with data manipulations of an I/O path. Inanother embodiment, the system 120 is additionally accessible by clientdevices 102 to directly implement serverless task executions. Forexample, the on-demand code execution system 120 may provide the service160 (and potentially client devices 102) with one or more userinterfaces, command-line interfaces (CLIs), application programinginterfaces (APIs), or other programmatic interfaces for generating anduploading user-executable code (e.g., including metadata identifyingdependency code objects for the uploaded code), invoking theuser-provided code (e.g., submitting a request to execute the user codeson the on-demand code execution system 120), scheduling event-based jobsor timed jobs, tracking the user-provided code, or viewing other loggingor monitoring information related to their requests or user codes.Although one or more embodiments may be described herein as using a userinterface, it should be appreciated that such embodiments may,additionally or alternatively, use any CLIs, APIs, or other programmaticinterfaces.

In addition, as shown in FIG. 1, the service 160 may include a dataaccess control engine 172 configured to perform native data accesscontrol (e.g., using a default data access control code), whichillustratively corresponds to a device configured with softwareexecutable to implement data access control on the service 160 (e.g., bysetting permissions for individual users and specifying the portions ofthe data accessible by the individual users). Additionally, the dataaccess control engine 172 may facilitate data access control performedbased on executing one or more additional data access control codes(e.g., submitted by the data owner/provider). Although illustrated as aseparate component, the data access control engine 172 may in some casesbe integrated into the frontend(s) 162 or another component of theservice 160.

The service 160 may further include a code execution control engine 174configured to perform code execution control, which illustrativelycorresponds to a device configured with software executable tofacilitate execution of native or user-submitted code (e.g., programcode submitted by the owner of the data objects stored by the service160) either internally on the service 160 or externally on the on-demandcode execution system 120 (e.g., by specifying code executionenvironment rules that can be used to provide certain privileges to, orplace restrictions on, the code being executed). Although illustrated asa separate component, the code execution control engine 174 may in somecases be integrated into the frontend(s) 162 or another component of theservice 160.

The client devices 102, object storage service 160, and on-demand codeexecution system 120 may communicate via a network 104, which mayinclude any wired network, wireless network, or combination thereof. Forexample, the network 104 may be a personal area network, local areanetwork, wide area network, over-the-air broadcast network (e.g., forradio or television), cable network, satellite network, cellulartelephone network, or combination thereof. As a further example, thenetwork 104 may be a publicly accessible network of linked networks,possibly operated by various distinct parties, such as the Internet. Insome embodiments, the network 104 may be a private or semi-privatenetwork, such as a corporate or university intranet. The network 104 mayinclude one or more wireless networks, such as a Global System forMobile Communications (GSM) network, a Code Division Multiple Access(CDMA) network, a Long Term Evolution (LTE) network, or any other typeof wireless network. The network 104 can use protocols and componentsfor communicating via the Internet or any of the other aforementionedtypes of networks. For example, the protocols used by the network 104may include Hypertext Transfer Protocol (HTTP), HTTP Secure (HTTPS),Message Queue Telemetry Transport (MQTT), Constrained ApplicationProtocol (CoAP), and the like. Protocols and components forcommunicating via the Internet or any of the other aforementioned typesof communication networks are well known to those skilled in the artand, thus, are not described in more detail herein.

To enable interaction with the on-demand code execution system 120, thesystem 120 includes one or more frontends 130, which enable interactionwith the on-demand code execution system 120. In an illustrativeembodiment, the frontends 130 serve as a “front door” to the otherservices provided by the on-demand code execution system 120, enablingusers (via client devices 102) or the service 160 to provide, requestexecution of, and view results of computer executable code. Thefrontends 130 include a variety of components to enable interactionbetween the on-demand code execution system 120 and other computingdevices. For example, each frontend 130 may include a request interfaceproviding client devices 102 and the service 160 with the ability toupload or otherwise communication user-specified code to the on-demandcode execution system 120 and to thereafter request execution of thatcode. In one embodiment, the request interface communicates withexternal computing devices (e.g., client devices 102, frontend 162,etc.) via a graphical user interface (GUI), CLI, or API. The frontends130 process the requests and make sure that the requests are properlyauthorized. For example, the frontends 130 may determine whether theuser associated with the request is authorized to access the user codespecified in the request.

References to user code as used herein may refer to any program code(e.g., a program, routine, subroutine, thread, etc.) written in aspecific program language. In the present disclosure, the terms “code,”“user code,” and “program code,” may be used interchangeably. Such usercode may be executed to achieve a specific function, for example, inconnection with a particular data transformation developed by the user.As noted above, individual collections of user code (e.g., to achieve aspecific function) are referred to herein as “tasks,” while specificexecutions of that code (including, e.g., compiling code, interpretingcode, or otherwise making the code executable) are referred to as “taskexecutions” or simply “executions.” Tasks may be written, by way ofnon-limiting example, in JavaScript (e.g., node.js), Java, Python, orRuby (or another programming language).

To manage requests for code execution, the frontend 130 can include anexecution queue, which can maintain a record of requested taskexecutions. Illustratively, the number of simultaneous task executionsby the on-demand code execution system 120 is limited, and as such, newtask executions initiated at the on-demand code execution system 120(e.g., via an API call, via a call from an executed or executing task,etc.) may be placed on the execution queue and processed, e.g., in afirst-in-first-out order. In some embodiments, the on-demand codeexecution system 120 may include multiple execution queues, such asindividual execution queues for each user account. For example, users ofthe service provider system 110 may desire to limit the rate of taskexecutions on the on-demand code execution system 120 (e.g., for costreasons). Thus, the on-demand code execution system 120 may utilize anaccount-specific execution queue to throttle the rate of simultaneoustask executions by a specific user account. In some instances, theon-demand code execution system 120 may prioritize task executions, suchthat task executions of specific accounts or of specified prioritiesbypass or are prioritized within the execution queue. In otherinstances, the on-demand code execution system 120 may execute tasksimmediately or substantially immediately after receiving a call for thattask, and thus, the execution queue may be omitted.

The frontend 130 can further include an output interface configured tooutput information regarding the execution of tasks on the on-demandcode execution system 120. Illustratively, the output interface maytransmit data regarding task executions (e.g., results of a task, errorsrelated to the task execution, or details of the task execution, such astotal time required to complete the execution, total data processed viathe execution, etc.) to the client devices 102 or the object storageservice 160.

In some embodiments, the on-demand code execution system 120 may includemultiple frontends 130. In such embodiments, a load balancer may beprovided to distribute the incoming calls to the multiple frontends 130,for example, in a round-robin fashion. In some embodiments, the mannerin which the load balancer distributes incoming calls to the multiplefrontends 130 may be based on the location or state of other componentsof the on-demand code execution system 120. For example, a load balancermay distribute calls to a geographically nearby frontend 130, or to afrontend with capacity to service the call. In instances where eachfrontend 130 corresponds to an individual instance of another componentof the on-demand code execution system 120, such as the active pool 148described below, the load balancer may distribute calls according to thecapacities or loads on those other components. Calls may in someinstances be distributed between frontends 130 deterministically, suchthat a given call to execute a task will always (or almost always) berouted to the same frontend 130. This may, for example, assist inmaintaining an accurate execution record for a task, to ensure that thetask executes only a desired number of times. For example, calls may bedistributed to load balance between frontends 130. Other distributiontechniques, such as anycast routing, will be apparent to those of skillin the art.

The on-demand code execution system 120 further includes one or moreworker managers 140 that manage the execution environments, such asvirtual machine instances 150 (shown as VM instance 150A and 150B,generally referred to as a “VM”), used for servicing incoming calls toexecute tasks. While the following will be described with reference tovirtual machine instances 150 as examples of such environments,embodiments of the present disclosure may utilize other environments,such as software containers. In the example illustrated in FIG. 1, eachworker manager 140 manages an active pool 148, which is a group(sometimes referred to as a pool) of virtual machine instances 150executing on one or more physical host computing devices that areinitialized to execute a given task (e.g., by having the code of thetask and any dependency data objects loaded into the instance).

Although the virtual machine instances 150 are described here as beingassigned to a particular task, in some embodiments, the instances may beassigned to a group of tasks, such that the instance is tied to thegroup of tasks and any tasks of the group can be executed within theinstance. For example, the tasks in the same group may belong to thesame security group (e.g., based on their security credentials) suchthat executing one task in a container on a particular instance 150after another task has been executed in another container on the sameinstance does not pose security risks. As discussed below, a task may beassociated with permissions encompassing a variety of aspectscontrolling how a task may execute. For example, permissions of a taskmay define what network connections (if any) can be initiated by anexecution environment of the task. As another example, permissions of atask may define what authentication information is passed to a task,controlling what network-accessible resources are accessible toexecution of a task (e.g., objects on the service 160). In oneembodiment, a security group of a task is based on one or more suchpermissions. For example, a security group may be defined based on acombination of permissions to initiate network connections andpermissions to access network resources. As another example, the tasksof the group may share common dependencies, such that an environmentused to execute one task of the group can be rapidly modified to supportexecution of another task within the group.

Once a triggering event to execute a task has been successfullyprocessed by a frontend 130, the frontend 130 passes a request to aworker manager 140 to execute the task. In one embodiment, each frontend130 may be associated with a corresponding worker manager 140 (e.g., aworker manager 140 co-located or geographically nearby to the frontend130) and thus, the frontend 130 may pass most or all requests to thatworker manager 140. In another embodiment, a frontend 130 may include alocation selector configured to determine a worker manager 140 to whichto pass the execution request. In one embodiment, the location selectormay determine the worker manager 140 to receive a call based on hashingthe call, and distributing the call to a worker manager 140 selectedbased on the hashed value (e.g., via a hash ring). Various othermechanisms for distributing calls between worker managers 140 will beapparent to one of skill in the art.

Thereafter, the worker manager 140 may modify a virtual machine instance150 (if necessary) and execute the code of the task within the instance150. As shown in FIG. 1, respective instances 150 may have operatingsystems (OS) 152 (shown as OS 152A and 152B), language runtimes 154(shown as runtime 154A and 154B), and user code 156 (shown as user code156A and 156B). The OS 152, runtime 154, and user code 156 maycollectively enable execution of the user code to implement the task.Thus, via operation of the on-demand code execution system 120, tasksmay be rapidly executed within an execution environment.

In accordance with aspects of the present disclosure, each VM 150additionally includes staging code 157 executable to facilitate stagingof input data on the VM 150 and handling of output data written on theVM 150, as well as a VM data store 158 accessible through a local filesystem of the VM 150. Illustratively, the staging code 157 represents aprocess executing on the VM 150 (or potentially a host device of the VM150) and configured to obtain data from the object storage service 160and place that data into the VM data store 158. The staging code 157 canfurther be configured to obtain data written to a file within the VMdata store 158, and to transmit that data to the object storage service160. Because such data is available at the VM data store 158, user code156 is not required to obtain data over a network, simplifying user code156 and enabling further restriction of network communications by theuser code 156, thus increasing security. Rather, as discussed above,user code 156 may interact with input data and output data as files onthe VM data store 158, by use of file handles passed to the code 156during an execution. In some embodiments, input and output data may bestored as files within a kernel-space file system of the data store 158.In other instances, the staging code 157 may provide a virtual filesystem, such as a filesystem in userspace (FUSE) interface, whichprovides an isolated file system accessible to the user code 156, suchthat the user code's access to the VM data store 158 is restricted.

As used herein, the term “local file system” generally refers to a filesystem as maintained within an execution environment, such that softwareexecuting within the environment can access data as file, rather thanvia a network connection. In accordance with aspects of the presentdisclosure, the data storage accessible via a local file system mayitself be local (e.g., local physical storage), or may be remote (e.g.,accessed via a network protocol, like NFS, or represented as avirtualized block device provided by a network-accessible service).Thus, the term “local file system” is intended to describe a mechanismfor software to access data, rather than physical location of the data.

The VM data store 158 can include any persistent or non-persistent datastorage device. In one embodiment, the VM data store 158 is physicalstorage of the host device, or a virtual disk drive hosted on physicalstorage of the host device. In another embodiment, the VM data store 158is represented as local storage, but is in fact a virtualized storagedevice provided by a network accessible service. For example, the VMdata store 158 may be a virtualized disk drive provided by anetwork-accessible block storage service. In some embodiments, theobject storage service 160 may be configured to provide file-levelaccess to objects stored on the data stores 168, thus enabling the VMdata store 158 to be virtualized based on communications between thestaging code 157 and the service 160. For example, the object storageservice 160 can include a file-level interface 166 providing networkaccess to objects within the data stores 168 as files. The file-levelinterface 166 may, for example, represent a network-based file systemserver (e.g., a network file system (NFS)) providing access to objectsas files, and the staging code 157 may implement a client of thatserver, thus providing file-level access to objects of the service 160.

In some instances, the VM data store 158 may represent virtualizedaccess to another data store executing on the same host device of a VMinstance 150. For example, an active pool 148 may include one or moredata staging VM instances (not shown in FIG. 1), which may beco-tenanted with VM instances 150 on the same host device. A datastaging VM instance may be configured to support retrieval and storageof data from the service 160 (e.g., data objects or portions thereof,input data passed by client devices 102, etc.), and storage of that dataon a data store of the data staging VM instance. The data staging VMinstance may, for example, be designated as unavailable to supportexecution of user code 156, and thus be associated with elevatedpermissions relative to instances 150 supporting execution of user code.The data staging VM instance may make this data accessible to other VMinstances 150 within its host device (or, potentially, on nearby hostdevices), such as by use of a network-based file protocol, like NFS.Other VM instances 150 may then act as clients to the data staging VMinstance, enabling creation of virtualized VM data stores 158 that, fromthe point of view of user code 156A, appear as local data stores.Beneficially, network-based access to data stored at a data staging VMcan be expected to occur very quickly, given the co-location of a datastaging VM and a VM instance 150 within a host device or on nearby hostdevices.

While some examples are provided herein with respect to use of IO streamhandles to read from or write to a VM data store 158, IO streams mayadditionally be used to read from or write to other interfaces of a VMinstance 150 (while still removing a need for user code 156 to conductoperations other than stream-level operations, such as creating networkconnections). For example, staging code 157 may “pipe” input data to anexecution of user code 156 as an input stream, the output of which maybe “piped” to the staging code 157 as an output stream. As anotherexample, a staging VM instance or a hypervisor to a VM instance 150 maypass input data to a network port of the VM instance 150, which may beread-from by staging code 157 and passed as an input stream to the usercode 157. Similarly, data written to an output stream by the task code156 may be written to a second network port of the instance 150A forretrieval by the staging VM instance or hypervisor. In yet anotherexample, a hypervisor to the instance 150 may pass input data as datawritten to a virtualized hardware input device (e.g., a keyboard) andstaging code 157 may pass to the user code 156 a handle to the IO streamcorresponding to that input device. The hypervisor may similarly pass tothe user code 156 a handle for an IO stream corresponding to anvirtualized hardware output device, and read data written to that streamas output data. Thus, the examples provided herein with respect to filestreams may generally be modified to relate to any IO stream.

The object storage service 160 and on-demand code execution system 120are depicted in FIG. 1 as operating in a distributed computingenvironment including several computer systems that are interconnectedusing one or more computer networks (not shown in FIG. 1). The objectstorage service 160 and on-demand code execution system 120 could alsooperate within a computing environment having a fewer or greater numberof devices than are illustrated in FIG. 1. Thus, the depiction of theobject storage service 160 and on-demand code execution system 120 inFIG. 1 should be taken as illustrative and not limiting to the presentdisclosure. For example, the on-demand code execution system 120 orvarious constituents thereof could implement various Web servicescomponents, hosted or “cloud” computing environments, or peer to peernetwork configurations to implement at least a portion of the processesdescribed herein. In some instances, the object storage service 160 andon-demand code execution system 120 may be combined into a singleservice. Further, the object storage service 160 and on-demand codeexecution system 120 may be implemented directly in hardware or softwareexecuted by hardware devices and may, for instance, include one or morephysical or virtual servers implemented on physical computer hardwareconfigured to execute computer executable instructions for performingvarious features that will be described herein. The one or more serversmay be geographically dispersed or geographically co-located, forinstance, in one or more data centers. In some instances, the one ormore servers may operate as part of a system of rapidly provisioned andreleased computing resources, often referred to as a “cloud computingenvironment.”

In the example of FIG. 1, the object storage service 160 and on-demandcode execution system 120 are illustrated as connected to the network104. In some embodiments, any of the components within the objectstorage service 160 and on-demand code execution system 120 cancommunicate with other components of the on-demand code execution system120 via the network 104. In other embodiments, not all components of theobject storage service 160 and on-demand code execution system 120 arecapable of communicating with other components of the virtualenvironment 100. In one example, only the frontends 130 and 162 (whichmay in some instances represent multiple frontends) may be connected tothe network 104, and other components of the object storage service 160and on-demand code execution system 120 may communicate with othercomponents of the environment 100 via the respective frontends 130 and162.

While some functionalities are generally described herein with referenceto an individual component of the object storage service 160 andon-demand code execution system 120, other components or a combinationof components may additionally or alternatively implement suchfunctionalities. For example, while the object storage service 160 isdepicted in FIG. 1 as including an object manipulation engine 170,functions of that engine 170 may additionally or alternatively beimplemented as tasks on the on-demand code execution system 120.Moreover, while the on-demand code execution system 120 is described asan example system to apply data manipulation tasks, other computesystems may be used to execute user-defined tasks, which compute systemsmay include more, fewer or different components than depicted as part ofthe on-demand code execution system 120. In a simplified example, theobject storage service 160 may include a physical computing deviceconfigured to execute user-defined tasks on demand, thus representing acompute system usable in accordance with embodiments of the presentdisclosure. Thus, the specific configuration of elements within FIG. 1is intended to be illustrative.

FIG. 2 depicts a general architecture of a frontend server 200 computingdevice implementing a frontend 162 of FIG. 1. The general architectureof the frontend server 200 depicted in FIG. 2 includes an arrangement ofcomputer hardware and software that may be used to implement aspects ofthe present disclosure. The hardware may be implemented on physicalelectronic devices, as discussed in greater detail below. The frontendserver 200 may include many more (or fewer) elements than those shown inFIG. 2. It is not necessary, however, that all of these generallyconventional elements be shown in order to provide an enablingdisclosure. Additionally, the general architecture illustrated in FIG. 2may be used to implement one or more of the other components illustratedin FIG. 1.

As illustrated, the frontend server 200 includes a processing unit 290,a network interface 292, a computer readable medium drive 294, and aninput/output device interface 296, all of which may communicate with oneanother by way of a communication bus. The network interface 292 mayprovide connectivity to one or more networks or computing systems. Theprocessing unit 290 may thus receive information and instructions fromother computing systems or services via the network 104. The processingunit 290 may also communicate to and from primary memory 280 orsecondary memory 298 and further provide output information for anoptional display (not shown) via the input/output device interface 296.The input/output device interface 296 may also accept input from anoptional input device (not shown).

The primary memory 280 or secondary memory 298 may contain computerprogram instructions (grouped as units in some embodiments) that theprocessing unit 290 executes in order to implement one or more aspectsof the present disclosure. These program instructions are shown in FIG.2 as included within the primary memory 280, but may additionally oralternatively be stored within secondary memory 298. The primary memory280 and secondary memory 298 correspond to one or more tiers of memorydevices, including (but not limited to) RAM, 3D XPOINT memory, flashmemory, magnetic storage, and the like. The primary memory 280 isassumed for the purposes of description to represent a main workingmemory of the worker manager 140, with a higher speed but lower totalcapacity than secondary memory 298.

The primary memory 280 may store an operating system 284 that providescomputer program instructions for use by the processing unit 290 in thegeneral administration and operation of the frontend server 200. Thememory 280 may further include computer program instructions and otherinformation for implementing aspects of the present disclosure. Forexample, in one embodiment, the memory 280 includes a user interfaceunit 282 that generates user interfaces (or instructions therefor) fordisplay upon a computing device, e.g., via a navigation or browsinginterface such as a browser or application installed on the computingdevice.

In addition to or in combination with the user interface unit 282, thememory 280 may include a control plane unit 286 and data plane unit 288each executable to implement aspects of the present disclosure.Illustratively, the control plane unit 286 may include code executableto enable owners of data objects or collections of objects to attachmanipulations, serverless functions, or data processing pipelines to anI/O path, in accordance with embodiments of the present disclosure. Forexample, the control plane unit 286 may enable the frontend 162 toimplement the interactions of FIG. 3. The data plane unit 288 mayillustratively include code enabling handling of I/O operations on theobject storage service 160, including implementation of manipulations,serverless functions, or data processing pipelines attached to an I/Opath (e.g., via the interactions of FIGS. 5A-6B, implementation of theroutines of FIGS. 7-8, etc.).

The frontend server 200 of FIG. 2 is one illustrative configuration ofsuch a device, of which others are possible. For example, while shown asa single device, a frontend server 200 may in some embodiments beimplemented as multiple physical host devices. Illustratively, a firstdevice of such a frontend server 200 may implement the control planeunit 286, while a second device may implement the data plane unit 288.

While described in FIG. 2 as a frontend server 200, similar componentsmay be utilized in some embodiments to implement other devices shown inthe environment 100 of FIG. 1. For example, a similar device mayimplement a worker manager 140, as described in more detail in U.S. Pat.No. 9,323,556, entitled “PROGRAMMATIC EVENT DETECTION AND MESSAGEGENERATION FOR REQUESTS TO EXECUTE PROGRAM CODE,” and filed Sep. 30,2014 (the “'556 patent”), the entirety of which is hereby incorporatedby reference.

With reference to FIG. 3, illustrative interactions are depicted forenabling a client device 102A to modify an I/O path for one or moreobjects on an object storage service 160 by inserting a datamanipulation into the I/O path, which manipulation is implemented withina task executable on the on-demand code execution system 120.

The interactions of FIG. 3 begin at (1), where the client device 102Aauthors the stream manipulation code. The code can illustrativelyfunction to access an input file handle provided on execution of theprogram (which may, for example, be represented by the standard inputstream for a program, commonly “stdin”), perform manipulations on dataobtained from that file handle, and write data to an output file handleprovided on execution of the program (which may, for example, byrepresented by the standard output stream for a program, commonly“stdout”).

While examples are discussed herein with respect to a “file” handle,embodiments of the present disclosure may utilize handles providingaccess to any operating-system-level input/output (IO) stream, examplesof which include byte streams, character streams, file streams, and thelike. As used herein, the term operating-system-level input/outputstream (or simply an “IO stream”) is intended to refer to a stream ofdata for which an operating system provides a defined set of functions,such as seeking within the stream, reading from a stream, and writing toa stream. Streams may be created in various manners. For example, aprogramming language may generate a stream by use of a function libraryto open a file on a local operating system, or a stream may be createdby use of a “pipe” operator (e.g., within an operating system shellcommand language). As will be appreciated by one skilled in the art,most general purpose programming languages include, as basicfunctionality of the code, the ability to interact with streams.

In accordance with embodiments of the present disclosure, task code maybe authored to accept, as a parameter of the code, an input handle andan output handle, both representing IO streams (e.g., an input streamand an output stream, respectively). The code may then manipulate dataof the input stream, and write an output to the output stream. Given useof a general purpose programming language, any of a variety of functionsmay be implemented according to the desires of the user. For example, afunction may search for and remove confidential information from theinput stream. While some code may utilize only input and output handles,other code may implement additional interfaces, such as networkcommunication interfaces. However, by providing the code with access toinput and output streams (via respective handles) created outside of thecode, the need for the code to create such streams is removed. Moreover,because streams may be created outside of the code, and potentiallyoutside of an execution environment of the code, stream manipulationcode need not necessarily be trusted to conduct certain operations thatmay be necessary to create a stream. For example, a stream may representinformation transmitted over a network connection, without the codebeing provided with access to that network connection. Thus, use of IOstreams to pass data into and out of code executions can simplify codewhile increasing security.

As noted above, the code may be authored in a variety of programminglanguages. Authoring tools for such languages are known in the art andthus will not be described herein. While authoring is described in FIG.3 as occurring on the client device 102A, the service 160 may in someinstances provide interfaces (e.g., web GUIs) through which to author orselect code.

At (2), the client device 102A submits the stream manipulation code tothe frontend 162 of the service 160, and requests that an execution ofthe code be inserted into an I/O path for one or more objects.Illustratively, the frontends 162 may provide one or more interfaces tothe device 102A enabling submission of the code (e.g., as a compressedfile). The frontends 162 may further provide interfaces enablingdesignation of one or more I/O paths to which an execution of the codeshould be applied. Each I/O path may correspond, for example, to anobject or collection of objects (e.g., a “bucket” of objects). In someinstances, an I/O path may further corresponding to a given way ofaccessing such object or collection (e.g., a URI through which theobject is created), to one or more accounts attempting to access theobject or collection, or to other path criteria. Designation of the pathmodification is then stored in the I/O path modification data store 164,at (3). Additionally, the stream manipulation code is stored within theobject data stores 166 at (4).

As such, when an I/O request is received via the specified I/O path, theservice 160 is configured to execute the stream manipulation codeagainst input data for the request (e.g., data provided by the clientdevice 102A or an object of the service 160, depending on the I/Orequest), before then applying the request to the output of the codeexecution. In this manner, a client device 102A (which in FIG. 3illustratively represents an owner of an object or object collection)can obtain greater control over data stored on and retrieved from theobject storage service 160.

The interactions of FIG. 3 generally relate to insertion of a singledata manipulation into the I/O path of an object or collection on theservice 160. However, in some embodiments of the present disclosure anowner of an object or collection is enabled to insert multiple datamanipulations into such an I/O path. Each data manipulation maycorrespond, for example, to a serverless code-based manipulation or anative manipulation of the service 160. For example, assume an owner hassubmitted a data set to the service 160 as an object, and that the ownerwishes to provide an end user with a filtered view of a portion of thatdata set. While the owner could store that filtered view of the portionas a separate object and provide the end user with access to thatseparate object, this results in data duplication on the service 160. Inthe case that the owner wishes to provide multiple end users withdifferent portions of the data set, potentially with customized filters,that data duplication grows, resulting in significant inefficiencies. Inaccordance with the present disclosure, another option may be for theowner to author or obtain custom code to implement different filters ondifferent portions of the object, and to insert that code into the I/Opath for the object. However, this approach may require the owner toduplicate some native functionality of the service 160 (e.g., an abilityto retrieve a portion of a data set). Moreover, this approach wouldinhibit modularity and reusability of code, since a single set of codewould be required to conduct two functions (e.g., selecting a portion ofthe data and filtering that portion).

To address these shortcomings, embodiments of the present disclosureenable an owner to create a pipeline of data manipulations to be appliedto an I/O path, linking together multiple data manipulations, each ofwhich may also be inserted into other I/O paths. An illustrativevisualization of such a pipeline is shown in FIG. 4 as pipeline 400.Specifically, the pipeline 400 illustrates a series of datamanipulations that an owner specifies are to occur on calling of arequest method against an object or object collection. As shown in FIG.4, the pipeline begins with input data, specified within the callaccording to a called request method. For example, a PUT call maygenerally include the input data as the data to be stored, while a GETcall may generally include the input data by reference to a storedobject. A LIST call may specify a directory, a manifest of which is theinput data to the LIST request method.

Contrary to typical implementations of request methods, in theillustrative pipeline 400, the called request method is not initiallyapplied to the input data. Rather, the input data is initially passed toan execution of “code A” 404, where code A represents a first set ofuser-authored code. The output of that execution is then passed to“native function A” 406, which illustratively represents a nativefunction of the service 160, such as a “SELECT” or byte-range functionimplemented by the object manipulation engine 170. The output of thatnative function 406 is then passed to an execution of “code B” 408,which represents a second set of user-authored code. Thereafter, theoutput of that execution 408 is passed to the called request method 410(e.g., GET, PUT, LIST, etc.). Accordingly, rather than the requestmethod being applied to the input data as in conventional techniques, inthe illustration of FIG. 4, the request method is applied to the outputof the execution 408, which illustratively represents a transformationof the input data according to one or more owner-specified manipulations412. Notably, implementation of the pipeline 400 may not require anyaction or imply any knowledge of the pipeline 400 on the part of acalling client device 102. As such, implementation of pipelines can beexpected not to impact existing mechanisms of interacting with theservice 160 (other than altering the data stored on or retrieved fromthe service 160 in accordance with the pipeline). For example,implementation of a pipeline can be expected not to requirereconfiguration of existing programs utilizing an API of the service160.

While the pipeline 400 of FIG. 4 is linear, in some embodiments theservice 160 may enable an owner to configure non-linear pipelines, suchas by include conditional or branching nodes within the pipeline.Illustratively, as described in more detail below, data manipulations(e.g., serverless-based functions) can be configured to include a returnvalue, such as an indication of successful execution, encountering anerror, etc. In one example, the return value of a data manipulation maybe used to select a conditional branch within a branched pipeline, suchthat a first return value causes the pipeline to proceed on a firstbranch, while a second return value causes the pipeline to proceed on asecond branch. In some instances, pipelines may include parallelbranches, such that data is copied or divided to multiple datamanipulations, the outputs of which are passed to a single datamanipulation for merging prior to executing the called method. Theservice 160 may illustratively provide a graphical user interfacethrough which owners can create pipelines, such as by specifying nodeswithin the pipeline and linking those nodes together via logicalconnections. A variety of flow-based development interfaces are knownand may be utilized in conjunction with aspects of the presentdisclosure.

Furthermore, in some embodiments, a pipeline applied to a particular I/Opath may be generated on-the-fly, at the time of a request, based ondata manipulations applied to the path according to different criteria.For example, an owner of a data collection may apply a first datamanipulation to all interactions with objects within a collection, and asecond data manipulation to all interactions obtained via a given URI.Thus, when a request is received to interact with an object within thecollection and via the given URI, the service 160 may generate apipeline combining the first and second data manipulations. The service160 may illustratively implement a hierarchy of criteria, such thatmanipulations applied to objects are placed within the pipeline prior tomanipulations applied to a URI, etc.

In some embodiments, client devices 102 may be enabled to requestinclusion of a data manipulation within a pipeline. For example, withinparameters of a GET request, a client device 102 may specify aparticular data manipulation to be included within a pipeline applied inconnection with the request. Illustratively, a collection owner mayspecify one or more data manipulations allowed for the collection, andfurther specify identifiers for those manipulations (e.g., functionnames). Thus, when requesting to interact with the collection, a clientdevice 102 may specify the identifier to cause the manipulation to beincluded within a pipeline applied to the I/O path. In one embodiment,client-requested manipulations are appended to the end of a pipelinesubsequent to owner-specified data manipulations and prior toimplementing the requested request method. For example, where a clientdevice 102 requests to GET a data set, and requests that a searchfunction by applied to the data set before the GET method isimplemented, the search function can receive as input data the output ofan owner-specified data manipulations for the data set (e.g.,manipulations to remove confidential information from the data set). Inaddition, requests may in some embodiments specify parameters to bepassed to one or more data manipulations (whether specified within therequest or not). Accordingly, while embodiments of the presentdisclosure can enable data manipulations without knowledge of thosemanipulations on the part of client devices 102, other embodiments mayenable client devices 102 to pass information within an I/O request foruse in implementing data manipulations.

Moreover, while example embodiments of the present disclosure arediscussed with respect to manipulation of input data to a called method,embodiments of the present disclosure may further be utilized to modifyaspects of a request, including a called method. For example, aserverless task execution may be passed the content of a request(including, e.g., a called method and parameters) and be configured tomodify and return, as a return value to a frontend 162, a modifiedversion of the method or parameters. Illustratively, where a clientdevice 102 is authenticated as a user with access to only a portion of adata object, a serverless task execution may be passed a call to “GET”that data object, and may transform parameters of the GET request suchthat it applies only to a specific byte range of the data objectcorresponding to the portion that the user may access. As a furtherexample, tasks may be utilized to implement customized parsing orrestrictions on called methods, such as by limiting the methods a usermay call, the parameters to those methods, or the like. In someinstances, application of one or more functions to a request (e.g., tomodify the method called or method parameters) may be viewed as a“pre-data processing” pipeline, and may thus be implemented prior toobtaining the input data within the pipeline 400 (which input data maychange due to changes in the request), or may be implementedindependently of a data manipulation pipeline 400.

Similarly, while example embodiments of the present disclosure arediscussed with respect to application of a called method to output dataof one or more data manipulations, in some embodiments manipulations canadditionally or alternatively occur after application of a calledmethod. For example, a data object may contain sensitive data that adata owner desires to remove prior to providing the data to a client.The owner may further enable a client to specify native manipulations tothe data set, such as conducting a database query on the dataset (e.g.,via a SELECT resource method). While the owner may specify a pipelinefor the data set to cause filtering of sensitive data to be conductedprior to application of the SELECT method, such an order of operationsmay be undesirable, as filtering may occur with respect to the entiredata object rather than solely the portion returned by the SELECT query.Accordingly, additionally or alternatively to specifying manipulationsthat occur prior to satisfying a request method, embodiments of thepresent disclosure can enable an owner to specify manipulations to occursubsequent to application of a called method but prior to conducting afinal operation to satisfy a request. For example, in the case of aSELECT operation, the service 160 may first conduct the SELECT operationagainst specified input data (e.g., a data object), and then pass theoutput of that SELECT operation to a data manipulation, such as aserverless task execution. The output of that execution can then bereturned to a client device 102 to satisfy the request.

While FIG. 3 and FIG. 4 are generally described with reference toserverless tasks authored by an owner of an object or collection, insome instances the service 160 may enable code authors to share theirtasks with other users of the service 160, such that code of a firstuser is executed in the I/O path of an object owned by a second user.The service 160 may also provide a library of tasks for use by eachuser. In some cases, the code of a shared task may be provided to otherusers. In other cases, the code of the shared task may be hidden fromother users, such that the other users can execute the task but not viewcode of the task. In these cases, other users may illustratively beenabled to modify specific aspects of code execution, such as thepermissions under which the code will execute.

With reference to FIGS. 5A and 5B, illustrative interactions will bediscussed for applying a modification to an I/O path for a request tostore an object on the service 160, which request is referred to inconnection with these figures as a “PUT” request or “PUT object call.”While shown in two figures, numbering of interactions is maintainedacross FIGS. 5A and 5B.

The interactions begin at (1), where a client device 102A submits a PUTobject call to the storage service 160, corresponding to a request tostore input data (e.g., included or specified within the call) on theservice 160. The input data may correspond, for example, to a filestored on the client device 102A. As shown in FIG. 5A, the call isdirected to a frontend 162 of the service 162 that, at (2), retrievesfrom the I/O path modification data store 164 an indication ofmodifications to the I/O path for the call. The indication may reflect,for example, a pipeline to be applied to calls received on the I/O path.The I/O path for a call may generally be specified with respect to arequest method included within a call, an object or collection ofobjects indicated within the call, a specific mechanism of reaching theservice 160 (e.g., protocol, URI used, etc.), an identity orauthentication status of the client device 102A, or a combinationthereof. For example, in FIG. 5A, the I/O path used can correspond touse of a PUT request method directed to a particular URI (e.g.,associated with the frontend 162) to store an object in a particularlogical location on the service 160 (e.g., a specific bucket). In FIGS.5A and 5B, it is assumed that an owner of that logical location haspreviously specified a modification to the I/O path, and specifically,has specified that a serverless function should be applied to the inputdata before a result of that function is stored in the service 160.

Accordingly, at (3), the frontend 162 detects within the modificationsfor the I/O path inclusion of a serverless task execution. Thus, at (4),the frontend 162 submits a call to the on-demand code execution system120 to execute the task specified within the modifications against theinput data specified within the call.

The on-demand code execution system 120, at (5), therefore generates anexecution environment 502 in which to execute code corresponding to thetask. Illustratively, the call may be directed to a frontend 130 of thesystem, which may distribute instructions to a worker manager 140 toselect or generate a VM instance 150 in which to execute the task, whichVM instance 150 illustratively represents the execution environment 502.During generation of the execution environment 502, the system 120further provisions the environment with code 504 of the task indicatedwithin the I/O path modification (which may be retrieved, for example,from the object data stores 166). While not shown in FIG. 5A, theenvironment 502 further includes other dependencies of the code, such asaccess to an operating system, a runtime required to execute the code,etc.

In some embodiments, generation of the execution environment 502 caninclude configuring the environment 502 with security constraintslimiting access to network resources. Illustratively, where a task isintended to conduct data manipulation without reference to networkresources, the environment 502 can be configured with no ability to sendor receive information via a network. Where a task is intended toutilize network resources, access to such resources can be provided on a“whitelist” basis, such that network communications from the environment502 are allowed only for specified domains, network addresses, or thelike. Network restrictions may be implemented, for example, by a hostdevice hosting the environment 502 (e.g., by a hypervisor or hostoperating system). In some instances, network access requirements may beutilized to assist in placement of the environment 502, either logicallyor physically. For example, where a task requires no access to networkresources, the environment 502 for the task may be placed on a hostdevice that is distant from other network-accessible services of theservice provider system 110, such as an “edge” device with alower-quality communication channel to those services. Where a taskrequires access to otherwise private network services, such as servicesimplemented within a virtual private cloud (e.g., alocal-area-network-like environment implemented on the service 160 onbehalf of a given user), the environment 502 may be created to existlogically within that cloud, such that a task execution 502 accessesresources within the cloud. In some instances, a task may be configuredto execute within a private cloud of a client device 102 that submits anI/O request. In other instances, a task may be configured to executewithin a private cloud of an owner of the object or collectionreferenced within the request.

In addition to generating the environment 502, at (6), the system 120provisions the environment with stream-level access to an input filehandle 506 and an output file handle 508, usable to read from and writeto the input data and output data of the task execution, respectively.In one embodiment, files handle 506 and 508 may point to a (physical orvirtual) block storage device (e.g., disk drive) attached to theenvironment 502, such that the task can interact with a local filesystem to read input data and write output data. For example, theenvironment 502 may represent a virtual machine with a virtual diskdrive, and the system 120 may obtain the input data from the service 160and store the input data on the virtual disk drive. Thereafter, onexecution of the code, the system 120 may pass to the code a handle ofthe input data as stored on the virtual disk drive, and a handle of afile on the drive to which to write output data. In another embodiment,files handle 506 and 508 may point to a network file system, such as anNFS-compatible file system, on which the input data has been stored. Forexample, the frontend 162 during processing of the call may store theinput data as an object on the object data stores 166, and thefile-level interface 166 may provide file-level access to the input dataand to a file representing output data. In some cases, the file handles506 and 508 may point to files on a virtual file system, such as a filesystem in user space. By providing handles 506 and 508, the task code504 is enabled to read the input data and write output data using streammanipulations, as opposed to being required to implement networktransmissions. Creation of the handles 506 and 508 (or streamscorresponding to the handles) may illustratively be achieved byexecution of staging code 157 within or associated with the environment502.

The interactions of FIG. 5A are continued in FIG. 5B, where the system120 executes the task code 504. As the task code 504 may beuser-authored, any number of functionalities may be implemented withinthe code 504. However, for the purposes of description of FIGS. 5A and5B, it will be assumed that the code 504, when executed, reads inputdata from the input file handle 506 (which may be passed as a commonlyused input stream, such as stdin), manipulates the input data, andwrites output data to the output file handle 508 (which may be passed asa commonly used output stream, such as stdout). Accordingly, at (8), thesystem 120 obtains data written to the output file (e.g., the filereferenced in the output file handle) as output data of the execution.In addition, at (9), the system 120 obtains a return value of the codeexecution (e.g., a value passed in a final call of the function). Forthe purposes of description of FIGS. 5A and 5B, it will be assumed thatthe return value indicates success of the execution. At (10), the outputdata and the success return value are then passed to the frontend 162.

While shown as a single interaction in FIG. 5B, in some embodimentsoutput data of a task execution and a return value of that execution maybe returned separately. For example, during execution, task code 504 maywrite to an output file through the handle 508, and this data may beperiodically or iteratively returned to the service 160. Illustratively,where the output file exists on a file system in user space implementedby staging code, the staging code may detect and forward each write tothe output file to the frontend 162. Where the output file exists on anetwork file system, writes to the file may directly cause the writtendata to be transmitted to the interface 166 and thus the service 160. Insome instances, transmitting written data iteratively may reduce theamount of storage required locally to the environment 502, since writtendata can, according to some embodiments, be deleted from local storageof the environment 502.

In addition, while a success return value is assumed in FIGS. 5A and 5B,other types of return value are possible and contemplated. For example,an error return value may be used to indicate to the frontend 162 thatan error occurred during execution of task code 504. As another example,user-defined return values may be used to control how conditionalbranching within a pipeline proceeds. In some cases, the return valuemay indicate to the frontend 162 a request for further processing. Forexample, a task execution may return to the frontend 162 a call toexecute another serverless task (potentially not specified within a pathmodification for the current I/O path). Moreover, return values mayspecify to the frontend 162 what return value is to be returned to theclient device 102A. For example, a typical PUT request method called atthe service 160 may be expected to return an HTTP 200 code (“OK”). Assuch, a success return value from the task code may further indicatethat the frontend 162 should return an HTTP 200 code to the clientdevice 102A. An error return value may, for example, indicate that thefrontend 162 should return a 3XX HTTP redirection or 4XX HTTP error codeto the client device 102A. Still further, in some cases, return valuesmay specify to the frontend 162 content of a return message to theclient device 102A other than a return value. For example, the frontend162 may be configured to return a given HTTP code (e.g., 200) for anyrequest from the client device 102A that is successfully retrieved atthe frontend 162 and invokes a data processing pipeline. A taskexecution may then be configured to specify, within its return value,data to be passed to the client device 102A in addition to that HTTPcode. Such data may illustratively include structured data (e.g.,extensible markup language (XML) data) providing information generatedby the task execution, such as data indicating success or failure of thetask. This approach may beneficially enable the frontend 162 to quicklyrespond to requests (e.g., without awaiting execution of a task) whilestill enabling a task execution to pass information to the client device102.

For purposes of the present illustration, it will be assumed that thesuccess return value of the task indicates that an HTTP 2XX successresponse should be passed to the device 102A. Accordingly, on receivingoutput data, the frontend 162 stores the output data as an object withinthe object data stores 166, (11). Interaction (11) illustrativelycorresponds to implementation of the PUT request method, initiallycalled for by the client device 102A, albeit by storing the output ofthe task execution rather than the provided input data. Afterimplementing the called PUT request method, the frontend 162, at (12),returns to the client device 102A the success indicator indicated by thesuccess return value of the task (e.g., an HTTP 200 response code).Thus, from the perspective of the client device 102A, a call to PUT anobject on the storage service 160 resulted in creation of that object onthe service 160. However, rather than storing the input data provided bythe device 102A, the object stored on the service 160 corresponds tooutput data of an owner-specified task, thus enabling the owner of theobject greater control over the contents of that object. In some usecases, the service 160 may additionally store the input data as anobject (e.g., where the owner-specified task corresponds to codeexecutable to provide output data usable in conjunction with the inputdata, such as checksum generated from the input data).

With reference to FIGS. 6A and 6B, illustrative interactions will bediscussed for applying a modification to an I/O path for a request toretrieve an object on the service 160, which request is referred to inconnection with these figures as a “GET” request or “GET call.” Whileshown in two figures, numbering of interactions is maintained acrossFIGS. 6A and 6B.

The interactions begin at (1), where a client device 102A submits a GETcall to the storage service 160, corresponding to a request to obtaindata of an object (identified within the call) stored on the service160. As shown in FIG. 6A, the call is directed to a frontend 162 of theservice 160 that, at (2), retrieves from the I/O path modification datastore 164 an indication of modifications to the I/O path for the call.For example, in FIG. 6A, the I/O path used can correspond to use of aGET request method directed to a particular URI (e.g., associated withthe frontend 162) to retrieve an object in a particular logical locationon the service 160 (e.g., a specific bucket). In FIGS. 6A and 6B, it isassumed that an owner of that logical location has previously specifieda modification to the I/O path, and specifically, has specified that aserverless function should be applied to the object before a result ofthat function is returned to the device 102A as the requested object.

Accordingly, at (3), the frontend 162 detects within the modificationsfor the I/O path inclusion of a serverless task execution. Thus, at (4),the frontend 162 submits a call to the on-demand code execution system120 to execute the task specified within the modifications against theobject specified within the call. The on-demand code execution system120, at (5), therefore generates an execution environment 502 in whichto execute code corresponding to the task. Illustratively, the call maybe directed to a frontend 130 of the system, which may distributeinstructions to a worker manager 140 to select or generate a VM instance150 in which to execute the task, which VM instance 150 illustrativelyrepresents the execution environment 502. During generation of theexecution environment 502, the system 120 further provisions theenvironment with code 504 of the task indicated within the I/O pathmodification (which may be retrieved, for example, from the object datastores 166). While not shown in FIG. 6A, the environment 502 furtherincludes other dependencies of the code, such as access to an operatingsystem, a runtime required to execute the code, etc.

In addition, at (6), the system 120 provisions the environment withfile-level access to an input file handle 506 and an output file handle508, usable to read from and write to the input data (the object) andoutput data of the task execution, respectively. As discussed above,files handle 506 and 508 may point to a (physical or virtual) blockstorage device (e.g., disk drive) attached to the environment 502, suchthat the task can interact with a local file system to read input dataand write output data. For example, the environment 502 may represent avirtual machine with a virtual disk drive, and the system 120 may obtainthe object referenced within the call from the service 160, at (6′), andstore the object on the virtual disk drive. Thereafter, on execution ofthe code, the system 120 may pass to the code a handle of the object asstored on the virtual disk drive, and a handle of a file on the drive towhich to write output data. In another embodiment, files handle 506 and508 may point to a network file system, such as an NFS-compatible filesystem, on which the object has been stored. For example, the file-levelinterface 166 may provide file-level access to the object as storedwithin the object data stores, as well as to a file representing outputdata. By providing handles 506 and 508, the task code 504 is enabled toread the input data and write output data using stream manipulations, asopposed to being required to implement network transmissions. Creationof the handles 506 and 508 may illustratively be achieved by executionof staging code 157 within or associated with the environment 502.

The interactions of FIG. 6A are continued in FIG. 6B, where the system120 executes the task code 504 at (7). As the task code 504 may beuser-authored, any number of functionalities may be implemented withinthe code 504. However, for the purposes of description of FIGS. 6A and6B, it will be assumed that the code 504, when executed, reads inputdata (corresponding to the object identified within the call) from theinput file handle 506 (which may be passed as a commonly used inputstream, such as stdin), manipulates the input data, and writes outputdata to the output file handle 508 (which may be passed as a commonlyused output stream, such as stdout). Accordingly, at (8), the system 120obtains data written to the output file (e.g., the file referenced inthe output file handle) as output data of the execution. In addition, at(9), the system 120 obtains a return value of the code execution (e.g.,a value passed in a final call of the function). For the purposes ofdescription of FIGS. 6A and 6B, it will be assumed that the return valueindicates success of the execution. At (10), the output data and thesuccess return value are then passed to the frontend 162.

On receiving output data and the return value, the frontend 162 returnsthe output data of the task execution as the requested object.Interaction (11) thus illustratively corresponds to implementation ofthe GET request method, initially called for by the client device 102A,albeit by returning the output of the task execution rather than theobject specified within the call. From the perspective of the clientdevice 102A, a call to GET an object from the storage service 160therefore results in return of data to the client device 102A as theobject. However, rather than returning the object as stored on theservice 160, the data provided to the client device 102A corresponds tooutput data of an owner-specified task, thus enabling the owner of theobject greater control over the data returned to the client device 102A.

Similarly to as discussed above with respect to FIGS. 5A and 5B, whileshown as a single interaction in FIG. 6B, in some embodiments outputdata of a task execution and a return value of that execution may bereturned separately. In addition, while a success return value isassumed in FIGS. 6A and 6B, other types of return value are possible andcontemplated, such as error values, pipeline-control values, or calls toexecute other data manipulations. Moreover, return values may indicatewhat return value is to be returned to the client device 102A (e.g., asan HTTP status code). In some instances, where output data isiteratively returned from a task execution, the output data may also beiteratively provided by the frontend 162 to the client device 102A.Where output data is large (e.g., on the order of hundreds of megabytes,gigabytes, etc.), iteratively returning output data to the client device102A can enable that data to be provided as a stream, thus speedingdelivery of the content to the device 102A relative to delaying returnof the data until execution of the task completes.

While illustrative interactions are described above with reference toFIGS. 5A-6B, various modifications to these interactions are possibleand contemplated herein. For example, while the interactions describedabove relate to manipulation of input data, in some embodiments aserverless task may be inserted into the I/O path of the service 160 toperform functions other than data manipulation. Illustratively, aserverless task may be utilized to perform validation or authorizationwith respect to a called request method, to verify that a client device102A is authorized to perform the method. Task-based validation orauthorization may enable functions not provided natively by the service160. For example, consider a collection owner who wishes to limitcertain client devices 102 to accessing only objects in the collectioncreated during a certain time range (e.g., the last 30 days, any timeexcluding the last 30 days, etc.). While the service 160 may nativelyprovide authorization on a per-object or per-collection basis, theservice 160 may in some cases not natively provide authorization on aduration-since-creation basis. Accordingly, embodiments of the presentdisclosure enable the owner to insert into an I/O path to the collection(e.g., a GET path using a given URI to the collection) a serverless taskthat determines whether the client is authorized to retrieve a requestedobject based on a creation time of that object. Illustratively, thereturn value provided by an execution of the task may correspond to an“authorized” or “unauthorized” response. In instances where a task doesnot perform data manipulation, it may be unnecessary to provision anenvironment of the task execution with input and output stream handles.Accordingly, the service 160 and system 120 can be configured to foregoprovisioning the environment with such handles in these cases. Whether atask implements data manipulation may be specified, for example, oncreation of the task and stored as metadata for the task (e.g., withinthe object data stores 166). The service 160 may thus determine fromthat metadata whether data manipulation within the task should besupported by provisioning of appropriate stream handles.

While some embodiments may utilize return values without use of streamhandles, other embodiments may instead utilize stream handles withoutuse of return values. For example, while the interactions describedabove relate to providing a return value of a task execution to thestorage service 160, in some instances the system 120 may be configuredto detect completion of a function based on interaction with an outputstream handle. Illustratively, staging code within an environment (e.g.,providing a file system in user space or network-based file system) maydetect a call to deallocate the stream handle (e.g., by calling a“file.close( )” function or the like). The staging code may interpretsuch a call as successful completion of the function, and notify theservice 160 of successful completion without requiring the taskexecution to explicitly provide return value.

While the interactions described above generally relate to passing ofinput data to a task execution, additional or alternative informationmay be passed to the execution. By way of non-limiting example, suchinformation may include the content of the request from the clientdevice 102 (e.g., the HTTP data transmitted), metadata regarding therequest (e.g., a network address from which the request was received ora time of the request), metadata regarding the client device 102 (e.g.,an authentication status of the device, account time, or requesthistory), or metadata regarding the requested object or collection(e.g., size, storage location, permissions, or time created, modified,or accessed). Moreover, in addition or as an alternative to manipulationof input data, task executions may be configured to modify metadataregarding input data, which may be stored together with the input data(e.g., within the object) and thus written by way of an output streamhandle, or which may be separately stored and thus modified by way of ametadata stream handle, inclusion of metadata in a return value, orseparate network transmission to the service 160.

With reference to FIG. 7, an illustrative routine 700 for implementingowner-defined functions in connection with an I/O request obtained atthe object storage service of FIG. 1 over an I/O path will be described.The routine 700 may illustratively be implemented subsequent toassociation of an I/O path (e.g., defined in terms of an object orcollection, a mechanism of access to the object or collection, such as aURI, an account transmitting an IO request, etc.) with a pipeline ofdata manipulations. For example, the routine 700 may be implementedprior to the interactions of FIG. 3, discussed above. The routine 700 isillustratively implemented by a frontend 162.

The routine 700 begins at block 702, where the frontend 162 obtains arequest to apply an I/O method to input data. The request illustrativelycorresponds to a client device (e.g., an end user device). The I/Omethod may correspond, for example, to an HTTP request method, such asGET, PUT, LIST, DELETE, etc. The input data may be included within therequest (e.g., within a PUT request), or referenced in the request(e.g., as an existing object on the object storage service 160.

At block 704, the frontend 162 determines one or more data manipulationsin the I/O path for the request. As noted above, the I/O path may bedefined based on a variety of criteria (or combinations thereof), suchas the object or collection referenced in the request, a URI throughwhich the request was transmitted, an account associated with therequest, etc. Manipulations for each defined I/O path may illustrativelybe stored at the object storage service 160. Accordingly, at block 704,the frontend 162 may compare parameters of the I/O path for the requestto stored data manipulations at the object storage service 160 todetermine data manipulations inserted into the I/O path. In oneembodiment, the manipulations form a pipeline, such as the pipeline 400of FIG. 4, which may be previously stored or constructed by the frontend162 at block 704 (e.g., by combining multiple manipulations that applyto the I/O path). In some instances, an additional data manipulation maybe specified within the request, which data manipulation may beinserted, for example, prior to pre-specified data manipulations (e.g.,not specified within the request). In other instances, the request mayexclude reference to any data manipulation.

At block 706, the frontend 162 passes input data of the I/O request toan initial data manipulation for the I/O path. The initial datamanipulation may include, for example, a native manipulation of theobject storage service 160 or a serverless task defined by an owner ofthe object or collection referenced in the call. Illustratively, wherethe initial data manipulation is a native manipulation, the frontend 162may pass the input to the object manipulation engine 170 of FIG. 1.Where the initial data manipulation is a serverless task, the frontend162 can pass the input to the on-demand code execution system 120 ofFIG. 1 for processing via an execution of the task. An illustrativeroutine for implementing a serverless task is described below withreference to FIG. 8.

While FIG. 7 illustratively describes data manipulations, in someinstances other processing may be applied to an I/O path by an owner.For example, an owner may insert into an I/O path for an object orcollection a serverless task that provides authentication independent ofdata manipulation. Accordingly, in some embodiments block 706 may bemodified such that other data, such as metadata regarding a request oran object specified in the request, is passed to an authenticationfunction or other path manipulation.

Thereafter, the routine 700 proceeds to block 708, where theimplementation of the routine 700 varies according to whether additionaldata manipulations have been associated with the I/O path. If so, theroutine 700 proceeds to block 710, where an output of a priormanipulation is passed to a next manipulation associated with the I/Opath (e.g., a subsequent stage of a pipeline).

Subsequent to block 710, the routine 700 then returns to block 708,until no additional manipulations exist to be implemented. The routine700 then proceeds to block 712, where the frontend 162 applies thecalled I/O method (e.g., GET, PUT, POST, LIST, DELETE, etc.) to theoutput of the prior manipulation. For example, the frontend 162 mayprovide the output as a result of a GET or LIST request, or may storethe output as a new object as a result of a PUT or POST request. Thefrontend 162 may further provide a response to the request to arequesting device, such as an indication of success of the routine 700(or, in cases of failure, failure of the routine). In one embodiment,the response may be determined by a return value provided by a datamanipulation implemented at blocks 706 or 710 (e.g., the finalmanipulation implemented before error or success). For example, amanipulation that indicates an error (e.g., lack of authorization) mayspecify an HTTP code indicating that error, while a manipulation thatproceeds successfully may instruct the frontend 162 to return an HTTPcode indicating success, or may instruct the frontend 162 to return acode otherwise associated with application of the I/O method (e.g., inthe absence of data manipulations). The routine 700 thereafter ends atblock 714.

Notably, application of the called method to that output, as opposed toinput specified in an initial request, may alter data stored in orretrieved from the object storage service 160. For example, data storedon the service 160 as an object may differ from the data submittedwithin a request to store such data. Similarly, data retrieved from thesystem as an object may not match the object as stored on the system.Accordingly, implementation of routine 700 enables an owner of dataobjects to assert greater control over I/O to an object or collectionstored on the object storage service 160 on behalf of the owner.

In some instances, additional or alternative blocks may be includedwithin the routine 700, or implementation of such blocks may includeadditional or alternative operations. For example, as discussed above,in addition to or as an alternative to providing output data, serverlesstask executions may provide a return value. In some instances, thisreturn value may instruct a frontend 162 as to further actions to takein implementing the manipulation. For example, an error return value mayinstruct the frontend 162 to halt implementation of manipulations, andprovide a specified error value (e.g., an HTTP error code) to arequesting device. Another return value may instruct the frontend 162 toimplement an additional serverless task or manipulation. Thus, theroutine 700 may in some cases be modified to include, subsequent toblocks 706 and 710 for example, handling of the return value of a priormanipulation (or block 708 may be modified to include handling of such avalue). Thus, the routine 700 is intended to be illustrative in nature.

With reference to FIG. 8, an illustrative routine 800 will be describedfor executing a task on the on-demand code execution system of FIG. 1 toenable data manipulations during implementation of an owner-definedfunction. The routine 800 is illustratively implemented by the on-demandcode execution system 120 of FIG. 1.

The routine 800 begins at block 802, where the system 120 obtains a callto implement a stream manipulation task (e.g., a task that manipulationsdata provided as an input IO stream handle). The call may be obtained,for example, in conjunction with blocks 706 or 710 of the routine 700 ofFIG. 7. The call may include input data for the task, as well as othermetadata, such as metadata of a request that preceded the call, metadataof an object referenced within the call, or the like.

At block 804, the system 120 generates an execution environment for thetask. Generation of an environment may include, for example, generationof a container or virtual machine instance in which the task may executeand provisioning of the environment with code of the task, as well asany dependencies of the code (e.g., runtimes, libraries, etc.).

In one embodiment, the environment is generated with network permissionscorresponding to permissions specified for the task. As discussed above,such permissions may be restrictively (as opposed to permissively) set,according to a whitelist for example. As such, absent specification ofpermissions by an owner of an I/O path, the environment may lack networkaccess. Because the task operates to manipulate streams, rather thannetwork data, this restrictive model can increase security withoutdetrimental effect on functionality. In some embodiments, theenvironment may be generated at a logical network location providingaccess to otherwise restricted network resources. For example, theenvironment may be generated within a virtual private local area network(e.g., a virtual private cloud environment) associated with a callingdevice.

At block 806, the system 120 stages the environment with an IO streamrepresenting to input data. Illustratively, the system 120 may configurethe environment with a file system that includes the input data, andpass to the task code a handle enabling access of the input data as afile stream. For example, the system 120 may configure the environmentwith a network file system, providing network-based access to the inputdata (e.g., as stored on the object storage system). In another example,the system 120 may configure the environment with a “local” file system(e.g., from the point of view of an operating system providing the filesystem), and copy the input data to the local file system. The localfile system may, for example, be a filesystem in user space (FUSE). Insome instances, the local file system may be implemented on avirtualized disk drive, provided by the host device of the environmentor by a network-based device (e.g., as a network-accessible blockstorage device). In other embodiments, the system 120 may provide the IOstream by “piping” the input data to the execution environment, bywriting the input data to a network socket of the environment (which maynot provide access to an external network), etc. The system 120 furtherconfigures the environment with stream-level access to an output stream,such as by creating a file on the file system for the output data,enabling an execution of the task to create such a file, piping a handleof the environment (e.g., stdout) to a location on another VM instancecollocated with the environment or a hypervisor of the environment, etc.

At block 808, the task is executed within the environment. Execution ofthe task may include executing code of the task, and passing to theexecution handles or handles of the input stream and output stream. Forexample, the system 120 may pass to the execution a handle for the inputdata, as stored on the file system, as a “stdin” variable. The systemmay further pass to the execution a handle for the output data stream,e.g., as a “stdout” variable. In addition, the system 120 may pass otherinformation, such as metadata of the request or an object or collectionspecified within the request, as parameters to the execution. The codeof the task may thus execute to conduct stream manipulations on theinput data according to functions of the code, and to write an output ofthe execution to the output stream using OS-level stream operations.

The routine 800 then proceeds to block 810, where the system 120 returnsdata written to the output stream as output data of the task (e.g., tothe frontend 162 of the object storage system). In one embodiment, block810 may occur subsequent to the execution of the task completing, and assuch, the system 120 may return the data written as the complete outputdata of the task. In other instances, block 810 may occur duringexecution of the task. For example, the system 120 may detect new datawritten to the output stream and return that data immediately, withoutawaiting execution of the task. Illustratively, where the output streamis written to an output file, the system 120 may delete data of theoutput file after writing, such that sending of new data immediatelyobviates a need for the file system to maintain sufficient storage tostore all output data of the task execution. Still further, in someembodiments, block 810 may occur on detecting a close of the outputstream handle describing the output stream.

In addition, at block 812, subsequent to the execution completing, thesystem 120 returns a return value provided by the execution (e.g., tothe frontend 162 of the object storage system). The return value mayspecify an outcome of the execution, such as success or failure. In someinstances, the return value may specify a next action to be undertaken,such as implementation an additional data manipulation. Moreover, thereturn value may specify data to be provided to a calling devicerequesting an I/O operation on a data object, such as an HTTP code to bereturned. As discussed above, the frontend 162 may obtain such returnvalue and undertake appropriate action, such as returning an error orHTTP code to a calling device, implementing an additional datamanipulation, performing an I/O operation on output data, etc. In someinstances, a return value may be explicitly specified within code of thetask. In other instances, such as where no return value is specifiedwithin the code, a default return value may be returned (e.g., a ‘1’indicating success). The routine 800 then ends at block 814.

With reference to FIG. 9, illustrative interactions are depicted forenabling a client device 102A to modify an I/O path for one or moreobjects on an object storage service 160 by inserting data accesscontrol code (or function) into the I/O path, where the data accesscontrol code is executable on the on-demand code execution system 120.

The interactions of FIG. 9 begin at (1), where the client device 102Aauthors the data access control code (or function). As described herein,the data access control code may be a set of computer-executableinstructions written or provided by the owner of the requested dataobject to provide customized access to the data object. The data accesscontrol code may be similar to other user codes described in the presentdisclosure (e.g., with reference to FIG. 1). The data access controlcode can process an incoming request to access a data object stored onthe service 160 (i.e., “data request”), determine metadata associatedwith the data request (i.e., “request metadata”), identify metadataassociated with the requested data object (i.e., “data metadata”), anddetermine whether the user submitting the data request (i.e.,“requesting user”) should be granted access to the requested dataobject, and if so, to which portions of the data object the requestinguser should be given access.

For example, the data access control code may determine, based on theidentity of the requesting user (e.g., indicated by the incoming datarequest), that the requesting user does not have access to the requesteddata object and deny the data request. Alternatively, the data accesscontrol code may determine, based on the identity of the requestinguser, that the requesting user does have access to the requested dataobject and return the requested data object to the requesting user. Insome cases, the data access control code contains the information neededto make the decision to grant or deny access. In other cases, the dataaccess control code retrieves such information at an external database(e.g., with or without the data owner/provider's credentials) and makesthe decision based on the retrieved information. For example, the dataaccess control code may access a user access table indicating, for eachrespective user of a plurality of users of the object storage service(or those associated with or identified by the owner of the dataobject), one or more portions of the data object accessible by therespective user. As noted above, the data access control code may beauthored in a variety of programming languages. Authoring tools for suchlanguages are known in the art and thus will not be described herein.While authoring of the data access control code is described in FIG. 9as occurring on the client device 102A, the service 160 may in someinstances provide interfaces (e.g., web GUIs) through which to author orselect the data access control code.

At (2), the client device 102A submits the data access control code tothe frontend 162 of the service 160, and at (3), requests that anexecution of the data access control code be inserted into an I/O pathfor one or more data objects stored by the service 160. Illustratively,the frontend 162 may provide one or more interfaces to the client device102A enabling submission of the data access control code (e.g., as acompressed file). The frontend 162 may further provide interfacesenabling designation of one or more I/O paths to which an execution ofthe data access control code should be applied. Each I/O path maycorrespond, for example, to an object or collection of objects (e.g., a“bucket” of objects). In some instances, an I/O path may furthercorrespond to a given way of accessing such object or collection (e.g.,a URI through which the object is accessed), to one or more accountsattempting to access the object or collection (e.g., the user account ofa requesting user who has submitted the request to access the object orcollection), or to other path criteria. For example, in some cases, thedata access control code may be inserted into only some of the I/Opaths. In other cases, the data access control code is inserted into allof the I/O paths. For example, an authorization check different fromthat performed by the data access control code may be performed outsidethe I/O paths (e.g., for requests that do not relate to the I/O paths),and the data access control code may be executed in response toreceiving a request for one of the I/O paths (e.g., in addition to theauthorization check or instead of the authorization check). As anotherexample, the indication to execute the data access control code storedby the service 160 may indicate that the data access control code is tobe executed as part of an authorization path and may not contain areference to any specific I/O path. In yet other cases, different dataaccess control codes are inserted into different I/O paths (e.g., adefault data access control code is inserted into some of the I/O paths,and a stricter data access control code is inserted into the other I/Opaths). Designation of the I/O path modification (e.g., from a defaultI/O path that does not include execution of any owner-submitted code toa modified I/O path that includes the execution of the data accesscontrol code) is then stored in the I/O path modification data store164, at (4). Additionally, the data access control code is stored withinthe object data stores 166 at (5). Although the example of FIG. 9illustrates the data access control code being stored in the object datastore 166 in response to a request to insert the data access controlcode into the I/O path, in other embodiments, the data access controlcode may have been previously stored in either the object data store 166or another storage device in communication with the object storageservice 160 or the on-demand code execution system 120, and the dataaccess control code may be identified by its identifier in the requestsent to the object storage service 160 at (2)/(3).

As such, when a data request is received via the specified I/O path thatwas modified at (4), the service 160 executes the data access controlcode against the data request and the input data for the data request(e.g., data provided by the client device 102A or an object of theservice 160, depending on the nature of the I/O request). The dataaccess control code then determines, based on the data request (ormetadata thereof) and the input data, whether the data request should begranted as is, granted with modification, or denied. For example, basedon determining that the data request should be granted as is, the dataaccess control code may cause the requested data object to be returnedto the requesting user. As another example, based on determining thatthe data request should be granted with modification, the data accesscontrol code may cause a modified version of the requested data objectto be returned to the requesting user (e.g., by first performing dataremoval, data redaction, or data aggregation on the data object, andreturning the result of the data removal, data redaction, or dataaggregation to the requesting user). As yet another example, based ondetermining that the data request should be denied, the data accesscontrol code may return an error message to the requesting user (e.g.,indicating that the requesting user does not have permission to accessthe requested data object). In this manner, a client device 102A (whichin FIG. 9 illustratively represents the computing device of an owner orprovider of the requested data object or object collection) can obtaingreater control over data stored on and retrieved from the objectstorage service 160.

With reference to FIGS. 10A and 10B, illustrative interactions will bediscussed for processing a data request received by the service 160 viaan I/O path that has been modified to include execution of a data accesscontrol code, using a “GET” call as an example. While shown in twofigures, numbering of interactions is maintained across FIGS. 10A and10B.

The interactions begin at (1), where a client device 102B (e.g., aclient device of a requesting user different from the client device 102Aof FIG. 9 used by the data owner/provider) submits a GET call to theobject storage service 160, which corresponds to a request to obtaindata of an object (identified within the call) stored on the service160. As shown in FIG. 10A, the call is directed to a frontend 162 of theservice 160 that, at (2), retrieves from the I/O path modification datastore 164 an indication of modifications to the I/O path for the call.For example, in FIG. 10A, the I/O path used can correspond to the use ofa GET request method directed to a particular URI (e.g., associated withthe frontend 162) to retrieve an object in a particular logical locationon the service 160 (e.g., a specific data bucket). In FIGS. 10A and 10B,it is assumed that an owner of that logical location has previouslyspecified a modification to the I/O path (e.g., as illustrated in FIG.9), and specifically, has specified that a data access control codesubmitted or selected by the owner should be executed (e.g., on theservice 160 or on the on-demand code execution system 120) to determinethe level of access associated with the requesting user and to processthe data request according to the determined level of access. In someembodiments, the GET call specifies one or more additional datamanipulation codes that need to be executed on the output data beforethe output data is returned to the client device 102B. Upon detectingsuch additional data manipulation codes, the frontend 162 cause theadditional data manipulation codes to be executed on the on-demand codeexecution system 120 on top of the user codes already configured (e.g.,before the GET call is received from the client device 102B) to beexecuted in connection with the requested I/O path. The one or moreadditional data manipulation codes may belong to the owner or providerof the requested data object, to the user submitting the GET call, to athird party other than the data owner/provider or the user, or anycombination thereof.

Accordingly, at (3), the frontend 162 determines that the modificationdata retrieved from the I/O path modification data store 164 includes anexecution of the data access control code. As described herein, the dataaccess control code may be a set of computer-executable instructionswritten or provided by the owner of the requested data object to providecustomized access to the data object. The data access control code maybe similar to other user codes described in the present disclosure(e.g., with reference to FIG. 1). In some cases, the data access controlcode is the only owner-submitted code in the I/O path, and the dataaccess control code returns a value indicative of whether the requestinguser is allowed to access the requested data object (or in cases wheremore than two levels of access exist, the specific level of accessassociated with the requesting user with respect to the requested dataobject) without performing additional tasks on the requested data objectsuch as manipulating the requested data object in some way (e.g.,filter, redact, process, aggregate, encrypt, summarize, or obfuscate therequested data object). In other cases, such a data access control codeis present in the I/O path along with one or more other owner-submittedcodes that are each configured to accomplish a different task (e.g., atask other than data access control, such as data modification,analytics data generation, data access log generation, etc.). By havingthe data access control code focus solely on the data access decisionand not on other data manipulation tasks, the data access control codecan be executed in a much more light-weight manner, which may speed upthe processing of the data access decision and may allow more efficientre-use of the outcome of the data access decision (e.g., by caching thedata access decision or sending the data access decision to multipledata manipulation tasks in parallel). In yet other cases, the dataaccess control code present in the I/O path determines whether therequesting user is allowed to access the requested data object (or incases where more than two levels of access exist, the specific level ofaccess associated with the requesting user with respect to the requesteddata object), and based on the determination, performs one or moreadditional data manipulation tasks corresponding to the determined levelof access (e.g., as illustrated in FIGS. 6A and 6B). Thus, at (4), thefrontend 162 submits a call to the on-demand code execution system 120to execute the data access control code specified within themodification data. For example, a code execution request may begenerated and transmitted to the on-demand code execution system 120,where the code execution request includes (or identifies) the dataaccess control code along with any information to be used by the dataaccess control code to determine whether and how the requesting usershould be given access to the requested data object. Such informationmay include the identity of the requesting user, identity of therequested data object, content of the requested data object, timestampassociated with the data request, identity of the owner of the requesteddata object, or any other data or metadata associated with the datarequest or the requested data object. The on-demand code executionsystem 120, at (5), therefore generates an execution environment 502 inwhich to execute the data access control code (e.g., indicated by thecode execution request received by the on-demand code execution system120. For example, the code execution request may be sent to a frontend130 of the system 120, which may distribute instructions to a workermanager 140 of the system 120 to select or generate a VM instance 150 inwhich to execute the data access control code, in which case the VMinstance 150 would represent the execution environment 502 illustratedin FIG. 10A. During generation of the execution environment 502, thesystem 120 further provisions the execution environment 502 with thedata access control code 504 indicated by the I/O path modificationdata. The data access control code 504 may be retrieved, for example,from the object data stores 166. While not shown in FIG. 10A, theexecution environment 502 further includes other dependencies of thedata access control code 504, such as access to an operating system, aruntime required to execute the data access control code 504, etc.

The interactions of FIG. 10A are continued in FIG. 10B, where theon-demand code execution system 120 executes the data access controlcode 504 at (6). As the data access control code 504 may beuser-authored (e.g., authored by the owner of the requested dataobject), any number of functionalities may be implemented within thedata access control code 504. However, for the purposes of descriptionof FIGS. 10A and 10B, it will be assumed that the data access controlcode 504, when executed, determine data or metadata associated with thedata request, determine data or metadata associated with the requesteddata object, and determine whether the user submitting the data request(i.e., “requesting user”) should be granted access to the requested dataobject. Additionally, the data access control code 504 may, whenexecuted, determine which portions of the requested data object shouldbe returned to the requesting user. Although not illustrated in FIGS.10A and 10B, in some embodiments, the execution environment 502 includesthe file descriptors 506 and 508 described above with reference to FIGS.6A and 6B, and the data access control code 504, when executed, writesoutput data to the output file (e.g., indicated by the output filedescriptor 508) using the input data (e.g., indicated by the input filedescriptor 506) such that the output data is commensurate with therequesting user's level of access. For example, based on the requestinguser having full access to the requested data object, the entire dataobject may be written to the output file. As another example, based onthe requesting user having access to only a subset of the requested dataobject, the subset of the requested data object may be written to theoutput file. As yet another example, based on the requesting user havingaccess to only a modified version of the requested data object (e.g., anencrypted version that does not include the underlying data object inits unencrypted form, an aggregated version that does not include theunderlying data object in its raw form, etc.), the modified version ofthe requested data object may be written to the output file.Alternatively, in some embodiments, the execution of the data accesscontrol code 504 returns an indication of the requesting user's level ofaccess, and the service 160 (or another code execution) handles thereading from or writing to such file descriptors to return the requesteddata object (or a modified version thereof) to the requesting user.

Accordingly, at (7), the system 120 obtains a return value of theexecution of the data access control code 504 (e.g., a value passed in afinal call of the function within the data access control code 504). Forthe purposes of description of FIGS. 10A and 10B, it will be assumedthat the return value indicates that the data access control code 504was successfully executed. At (8), the success return value is thenpassed to the frontend 162. The success return value may be indicativeof whether the requesting user is allowed to access the requested dataobject (or in cases where more than two levels of access exist, thespecific level of access associated with the requesting user withrespect to the requested data object). This value may be cached orprovided to other processes or tasks for re-use. For example, if thevalue indicates that User A is allowed to access Data Object X, thevalue can be cached, and when the service 160 receives another requestto access Data Object X (or another data object associated with the sameaccess level as Data Object X) from User A (or another user whose accesslevel is configured to be the same as User A's access level or moreinclusive than User A's access level), the service 160 can return therequested data object based on the cached value without having toexecute the data access control code. Additionally, such re-use of thedata access decision can also provide a defense against a maliciousrequestor trying to overload the service 160 or the on-demand codeexecution system 120 with a large number of data requests. The cachedvalue can be specific to requesting users (e.g., data requests fromUsers A and B may see and re-use the cached value, but data requestsfrom User C may not), requested data object (e.g., data requests forData Objects X and Y may see and re-use the cached value, but datarequests for Data Object Z may not), level of access (e.g., datarequests for a data object having Security Level 51 may see and re-usethe cached value, but data requests for a data object having SecurityLevel S2 may not), geographical regions (e.g., data requests associatedwith Data Center A may see and re-use the cached value, but datarequests associated with Data Center B may not), and any combinationthereof.

On receiving the return value, the frontend 162 generatesclient-specific output data based on the return value and returns theclient-specific output data as the requested data object at (9). Forexample, based on the return value indicating that the requesting userhas full access to the requested data object, the entire data object maybe included in the client-specific output data. As another example,based on the return value indicating that the requesting user has accessto only a subset of the requested data object, the subset of therequested data object may be included in the client-specific outputdata. As yet another example, based on the return value indicating thatthe requesting user has access to only a modified version of therequested data object (e.g., an encrypted version that does not includethe underlying data object in its unencrypted form, an aggregatedversion that does not include the underlying data object in its rawform, etc.), the modified version of the requested data object may beincluded in the client-specific output data. Interaction (9) thusillustratively corresponds to an implementation of the GET requestmethod, initially called for by the client device 102B, albeit byreturning output data that may differ from the actual data objectspecified within the call. From the perspective of the client device102B, a call to GET a data object from the object storage service 160therefore results in return of data to the client device 102B as theobject. However, rather than returning the data object as stored on theservice 160, the data provided to the client device 102B corresponds toclient-specific output data generated based at least in part on theexecution of the data access control code 504, thus enabling the ownerof the data object greater control over the data returned to the clientdevice 102B. Other details of FIGS. 10A-10B may be identical or similarto those described above with reference to FIGS. 6A-6B.

With reference to FIG. 11, an illustrative routine 1100 will bedescribed for executing an owner-submitted (or owner-specified) dataaccess control code on the on-demand code execution system 120 of FIG. 1to enable user-specific (e.g., specific to the requesting user),access-level-specific (e.g., specific to the level of access associatedwith the requesting user) data provision in response to an I/O requestto the object storage service 160. The routine 1100 is illustrativelyimplemented by the object storage service 160 of FIG. 1. Although someembodiments of the present disclosure are described with reference toowner-submitted codes, such embodiments may also be extended to includeowner-specified codes (e.g., specification of one or more codes providedby the service 160 or another user of the service 160).

The routine 1100 begins at block 1102, where the service 160 receivesdata access control code, for example, from the client device 102A shownin FIG. 9. The data access control code may be a custom control codegenerated or selected by the owner of a data object stored on theservice 160. The service 160 may provide one or more APIs forregistering or selecting custom control code that can be inserted intothe I/O paths. In some embodiments, an actual copy of the data accesscontrol code is received from the client device 102A. In otherembodiments, instead of receiving an actual copy of the data accesscontrol code from the client device 102A, the service 160 receives anidentifier associated with the data access control code from the clientdevice 102A, where the identifier can be used to identify or retrieve anactual copy of the data access control code from within the service 160or in another storage device accessible by the service 160. In yet otherembodiments, the service 160 receives an identifier associated with thedata access control code from the client device 102A, and the identifieris used to cause execution of the data access control code (e.g., on theon-demand code execution system 120) but the service 160 does notretrieve or store an actual copy of the data access control code.

At block 1104, the service 160 stores the data access control code intoone or more I/O paths (e.g., by storing an indication that the dataaccess control code is associated with the one or more I/O paths). Asdiscussed above, once the data access control code is stored into an I/Opath, the service 106, upon receiving a call to the I/O path, causes thedata access control code to be executed.

At block 1106, the service 160 receives a data request from a requestinguser, where the data request indicates the data object that therequesting user wishes to access and the identity of the requesting userproviding the data request. In some embodiments, each user may beassigned a different portal via which the user can access the dataobjects in the object storage service 160. For example, the portal maybe a unique network path into the buckets, folders, volumes, etc. ofdata stored by the object storage service 160. Each portal may beassociated with one or more authorized users and indicate whichowner-submitted code(s) or series of owner-submitted code(s) is placedin the I/O path for which operations through the portal (e.g., GET, PUT,LIST, etc.). For example, for Portal A to a data object, authorizedusers may include User A and User B, and the owner-submitted code(s)placed in a GET path to the data object may include a data accesscontrol code that checks whether the requesting authorized user ispermitted to access the requested data object and a data processing codethat converts the data object into another format having a smaller filesize. Yet further for Portal A, the owner-submitted code(s) placed in aPUT path to the data object may include a virus scanning code thatchecks for malware before writing the requested data to the data object.Any other combinations of authorized users, I/O operations, and codeplacement can be implemented using the techniques described herein. Insome embodiments, each portal is assigned a different identifier (e.g.,DNS name), and the service 160 uses the identifier identify the specificportal via which a given data object is requested.

At block 1108, the service 160 executes the data access control codeusing the data request (or metadata thereof), the requested data object(or metadata thereof), or both. The data access control code can accessthe metadata associated with the data request and the metadataassociated the requested data object, and grant or deny the data request(or take additional steps before doing so such as perform datamanipulations) based on the accessed metadata. For example, the dataaccess control code may look up the requesting user in a permissionstable to determine whether the requesting user has permission to accessthe requested data object. As another example, the data access controlcode may determine whether the requesting user has the required securityclearance by accessing a government clearance database, determinewhether the data request includes any prohibited keywords, and determinewhether the timestamp on the requested data object is within the timewindow by accessing the metadata associated with the requested dataobject as well as accessing a subscriptions database indicating thesubscription time window for the requesting user (e.g., allowed toaccess documents less than 1 month old, allowed to access images morethan 5 years old, allowed to write to or modify data less than 1 weekold, and so on). Based on these determinations, the data access controlcode can determine whether the requesting user is allowed to access therequested data object.

As another example, the data access control code can determine that therequested data object is 35 days old (e.g., by accessing the metadataassociated with the requested data object), and that the user requestingaccess to the data object has access to all data objects older than 30days (e.g., by looking up the identity of the requesting user indicatedin the data request in a data access table), and based in turn on thatdetermination, grant access to the requested data object. As anotherexample, User A may be given a 30-day window to access any data storedby the service 160 (and owned by the data owner), and User B may begiven archival access to data that more than 1 year old. Upon receivinga request for a data object from User A, the data access control codeplaced in the I/O path to the data object can be executed, and the dataaccess control code can deny User A's request based on the requesteddata object being 3 months old. Similarly, upon receiving a request fora data object from User B, the data access control code placed in theI/O path to the data object can be executed, and the data access controlcode can deny User B's request based on the requested data object being3 months old. As another example, the data access control code maydetermine that User A only has access to a portion of the requested dataobject (e.g., a portion that relates to specific keywords such as“legal” or “automobiles”), and return only the portion of the requesteddata object to the requesting user (e.g., all data tagged with keywords“legal” and “automobiles”). As another example, the data access controlcode may access a user access table and determine, based on the useraccess table, that User A has access to all columns of the requesteddata object and return all of the columns in the data object. As anotherexample, the data access control code may access the user access tableand determine, based on the user access table, that User B has access toonly the first three columns of the five columns included in the dataobject and return the first three columns of the data object.

Although granting or denying access based on a time window is describedas an example, the decision to grant or deny access can be made on anyother criteria such as prior access by the requesting user (e.g., wherethe user can only access the data 3 times, and after the user hasaccessed the data three times, subsequent requests for the data by thesame user would be denied), keywords (e.g., where the user can onlyaccess data relating to the keyword “books”, and the user's requestwould be granted only if the request is limited to data relating to thekeyword “books”), geographic region associated with the requesting user(e.g., where only users from the U.S. can access the data and a requestprovided by a user outside the U.S. would be denied), account status ofthe user (e.g., where only premium or VIP users can access the data, anda request provided by a user who does not have a premium or VIP accountwould be denied), a security level associated with the requested dataobject (e.g., where the requesting user is allowed to access dataobjects that are associated with Security Level 3, 4, or 5 but notallowed to access data objects that are associated with Security Level 1or 2), content of the requested data object (e.g., where the requestinguser is not allowed to access data objects that contain the word“confidential”), and the like. Although not illustrated in FIG. 11, theservice 160 may cause a default data access control code to be executedin addition to or instead of a custom data access control code describedabove. In some embodiments, such a default data access control code isexecuted before the execution of the custom data access control code. Inother embodiments, such a default data access control code is executedafter the execution of the custom data access control code.

In some embodiments, the data access control code may provide differentlevels of access depending on the specific I/O request method called.For example, the data access control code may determine that therequesting user has permission to LIST the contents of a given bucket ofdata objects even though the requesting user does not have permission toGET the individual data objects in the given bucket. As another example,the data access control code may determine that the requesting user haspermission to LIST the contents of a given bucket of data objects, andthat while the requesting user does not have permission to GET theindividual data objects in their raw format, the requesting user haspermission to GET portions of the individual data objects or modified(e.g., redacted) versions of the individual data objects in the givenbucket. In other embodiments, the data access control code provides thesame level of access regardless of the specific I/O request methodcalled. For example, the data access control code may determine that therequesting user has permission to LIST the contents of a bucket of dataobjects only if the requesting user also has permission to GET theindividual data objects in the bucket. As another example, the dataaccess control code may determine that the requesting user haspermission to LIST the contents of a bucket of data objects only if therequesting user at least has permission to GET portions of the dataobjects or modified (e.g., redacted) versions of the data objects in thebucket. As another example, the data access control code may determinethat the requesting user has permission to LIST only part of thecontents in the bucket of data objects (e.g., Data Objects 1-4 of DataObjects 1-6 contained in the bucket), and that the requesting user haspermission to GET a smaller subset of the data objects (e.g., DataObjects 1-3 of Data Objects 1-4 that the requesting user has permissionto LIST).

The routine 1100 then proceeds to block 1110, where the service 160returns a data access decision value, which indicates whether therequesting user is allowed to access the requested data object (or thelevel of access associated with the requesting user). Although notillustrated in FIG. 11, in some embodiments, the service 160 may return,based on the data access decision value, a version of the requested dataobject that is specific to the type of access associated with therequesting user. For example, based on the requesting user having fullaccess to the requested data object as is, the service 160 returns therequested data object to the requesting user. Although not shown in FIG.11, the same requesting user may request the same data object a weeklater, and the service 160 may determine that the requesting user nolonger has access to the requested data object (e.g., due to a change inthe requesting user's access rights, due to the requesting user's accessto the data object having exceeded a threshold count allotted to therequesting user, due to the timestamp associated with the data objectfalling outside the time window during which the requesting user isallowed access the data object, etc.) and deny the subsequent datarequest. Alternatively, the requesting user may be provided differentsegments of the data object at different levels of granularity dependingon the context in which the requesting user submits the data request.Thus, by allowing the owner of the data object to place the data accesscontrol code in the I/O paths for the data object, the owner candynamically control access to the data object. Doing so may beparticularly advantageous for object storage services having a largenumber of users whose permission settings change frequently. Forexample, a data owner/provider who utilizes an object storage service toprovide data subscription services to his or her subscribes would findit burdensome to have to update the permission settings for theindividual subscribers as new subscribers sign up, the existingsubscribers change their subscription levels (e.g., basic access topremium access, or from paid access to free access), and the context inwhich the data requests are received from the individual subscriberschange (e.g., the time at which the data requests are received, thecount of prior access, keywords limiting the data requests, etc.).Instead, the techniques described herein allow such a dataowner/provider to write a data access control code and place it in theI/O path, and have the data access control code dynamically determine,based on the changing access levels and context, whether to grant ordeny the data requests. The routine 1100 then ends at block 1112.

With reference to FIG. 12, an illustrative routine 1200 will bedescribed for another embodiment of executing an owner-submitted (orowner-specified) data access control code in which additional datamanipulation is performed based on the access level associated with therequesting user. The routine 1200 is illustratively implemented by theobject storage service 160 of FIG. 1.

The routine 1200 begins at block 1202, where the service 160 obtains arequest to access a data object stored by the service 160 from arequesting user, and at block 1204, the service 160 executes data accesscontrol code inserted into the I/O path associated with the request, ina manner similar to those described with reference to FIG. 11.

At block 1206, the service 160 determines the level of access associatedwith the requesting user. For example, the execution of the data accesscontrol code may provide an indication of the level of access associatedwith the requesting user. If the service 160 determines that therequesting user has full access to the requested data, the service 160,at block 1208, returns the requested data. If the service 160 determinesthat the requesting user does not have access to the requested data, theservice 160, at block 1210, denies the request. Although the example ofFIG. 12 illustrates three levels of access (e.g., full access, modifiedaccess, and no access), any other number of access levels can beutilized to provide access-level-specific execution of owner-submittedcodes (e.g., to filter, redact, process, aggregate, encrypt, summarize,or obfuscate the requested data object).

If the service 160 determines that the requesting user has modifiedaccess (e.g., a level of access different from full access and noaccess), the service 160, at block 1212, causes one or more datamanipulation task codes to be executed on the requested data. Forexample, the service 160 may generate a code execution request andtransmit the code execution request to the on-demand code executionsystem 120 as illustrated FIGS. 10A-10B. The data manipulation taskcodes may be configured to (i) remove a portion of the data object(e.g., segments, columns, rows, pages, etc.), (ii) generate aggregateddata by aggregating at least a portion of the data object such that theuser-specific output includes the aggregated data that is not includedin the data object itself and also does not include at least some dataincluded in the original data object, or (iii) render a portion of thedata object unintelligible by encryption or redaction of data. In somecases, the data manipulation is performed only upon determining that thedata request does not satisfy one or more of a temporal restriction(e.g., the requesting user has a trial access that has expired, so onlythe first page of the documents are provided), geographical restriction(e.g., requests from outside the U.S. may be processed to reduce thefile size of the requested image object), keyword restriction (e.g.,presence or absence of a specific keyword may cause the returned dataobject to be encrypted), restriction on the number/amount of prioraccess (e.g., after the requesting user has used up his or her 1-timeunlimited access to the data object, the subsequent requests for thedata object result in a redacted version of the data object), or othercriteria described with reference to FIG. 11. In other cases, the datamanipulation is performed regardless of whether suchrestrictions/criteria are satisfied. Although not illustrated in FIG.12, in some embodiments, the data returned to the requesting user issent to the user in multiple stages. For example, in response todetermining the requesting user's access level with respect to therequested data object at block 1206, the service 160 may send one ormore HTTP headers to the requesting user (first stage) to indicate thata successful access request decision has been made (or that anauthorization failure has occurred), and when the requested data objectis ready to be sent to the requesting user (without data manipulation atblock 1208, or with data manipulation at block 1214), the service 160sends the requested data to the requesting user in one or more HTTPresponses (second stage). In some embodiments, the service 160 sends theone or more HTTP headers to the requesting user before the execution ofthe additional data manipulation codes is initiated. In otherembodiments, the service 160 sends the one or more HTTP headers to therequesting user after the execution of the additional data manipulationcodes is initiated but before the execution is completed. In yet otherembodiments, the service 160 sends the one or more HTTP headers to therequesting user after the execution of the additional data manipulationcodes is completed. By promptly indicating to the requesting userwhether the access grant decision has been made, the service 160 canprevent the requesting user from sending additional requests to try togain access to the requested data object (e.g., based on the delay inresponse from the service 160), thereby eliminating or reducing theconsumption of valuable processing and network resources of the service160 on unnecessary requests.

At block 1214, the service 160 returns the output of the datamanipulation to the requesting user. In some embodiments, the datamanipulation performed on the requested data object is transparent tothe requesting user such that the requesting user cannot determinewhether the requested data object is returned with or without the datamanipulation. In other embodiments, the requesting user can determinewhether the requested data object is returned with or without the datamanipulation (e.g., based on an indicator output along with the returneddata or a message such as “here is a preview” or “for a full version,please subscribe here”). Although data access control code and datamanipulation task code are described herein as examples, other types ofuser code can be utilized to further customize the service 160. Forexample, the data owner/provider may insert a tracking code in the PUTand GET paths that monitors the identity of the users uploading data tothe service 160 and downloading data from the service 160 and generatesanalytics data (e.g., the number of times User A's publication wasdownloaded by other users, the number of files User B has downloaded,etc.) that can be stored within the service 160 or another externallogging service. In some embodiments, a notification, credit, or rewardmay be provided to the users based on the analytics data (e.g., a creditmay be provided to a user each time the user's data is accessed byanother user, or a fee may be charged to a user each time the useraccesses another user's data). Thus, by allowing the owner of the dataobject to place certain codes (e.g., owner-submitted codes) in the I/Opaths for the data object, the owner can dynamically perform datamanipulations to the data object and provide user-specific output datato the requesting users. Doing so may be particularly advantageous forobject storage services having a large number of users who havedifferent levels of access and different types of output (e.g., someusers having access to the raw data, some users having access to only apreview version of the raw data, some users having access to only anaggregate version of the raw data, some users having access to only asubset of the raw data, etc.). For example, a data owner/provider whoutilizes an object storage service to provide data subscription servicesto his or her subscribes would find it burdensome to have to configurethe object storage service to provide subscriber-specific types ofoutput to the individual subscribers and update the configuration as theindividual subscribers' access levels change. Instead, the techniquesdescribed herein allow such a data owner/provider to write a data accesscontrol code and one or more data manipulation codes, and place thecodes in the I/O path, and have the codes dynamically generate, based onthe changing access levels and context, subscriber-specific versions ofthe requested data object (e.g., unmodified, redacted, filtered,encrypted, etc.) to be returned to the subscribers. The routine 1200then ends at block 1216.

With reference to FIG. 13, illustrative interactions are depicted forenabling a client device 102A to specify code execution environmentrules to control the code execution environment for the variousfunctions executed on the on-demand code execution system 120 inresponse to an I/O request from a requesting user.

The interactions of FIG. 13 begin at (1), where the client device 102Agenerates code execution environment rules. The object storage service160 may provide a user interface for specifying one or more codeexecution environment rules. For example, the code execution environmentrules may be specified in connection with specific codes when the codesare provided or specified to the service 160 (e.g., by the author of thecodes, by the owner of the codes, or by the requesting user). At (2),the client device 102A submits the code execution environment rules tothe frontend 162 of the service 160, and the frontend 162 causes thecode execution environment rules to be stored in the object data store166, at (3).

At (4), the frontend 162 causes execution of one or more owner-submittedcodes (e.g., data access control codes, data manipulation codes, etc.)on the on-demand code execution system 120 according to the codeexecution environment rules. For example, the worker manager 140 mayacquire the compute capacity (e.g., virtual machine instances orcontainers created thereon) needed to execute such owner-submitted codesand configure the compute capacity according to the code executionenvironment rules such that the user code being executed using thecompute capacity is given additional privileges (e.g., access toexternal services or the requesting user's private resources) or furtherrestricted in some way (e.g., by disabling establishing networkconnections with external resources, limiting the amount of computingresources used by the code, limiting the amount of time spent onexecuting the code, etc.). In some embodiments, two or more templates ofcode execution environment rules may have been specified for a givencode execution (e.g., by the author of the code, by the owner of thecode, by the requesting user, or any combination thereof). In suchembodiments, the templates may be applied according to a specificpriority order (e.g., the order in which the template of rules areapplied, and whether a template of rules is allowed to modify oroverride another template of rules). For example, a template of rulesspecified by the author of the code or the requesting user may not beallowed to modify or override the template of rules specified by thedata owner/provider. As another example, the template of rules specifiedby the author is applied first, then the template of rules specified bythe data owner/provider is applied so long as the template does notmodify the template of rules specified by the author, and then thetemplate of rules specified by the requesting user is applied so long asthe template does not modify the template of rules specified by theauthor or the template of rules specified by the data owner/provider.Additionally, in some embodiments, the on-demand code execution system120 can, as part of its operations in executing the one or more codesspecified to the system 120, re-use the execution environment configuredaccording to the rules specified at (2), or cache the results returnedto the service 160.

Additional details of how the code execution environment rules are usedto control or modify the execution environment for the one or moreowner-submitted functions are described in greater detail below withreference to FIG. 14.

With reference to FIG. 14, an illustrative routine 1400 will bedescribed for customizing the execution environment for one or more codeexecutions performed in response to an I/O request from a requestinguser. The routine 1400 is illustratively implemented by the objectstorage service 160 of FIG. 1.

The routine 1400 begins at block 1402, where the service 160 receivescode execution environment rules to control user code execution. Forexample, the service 160 may provide a user interface or an API forgenerating or selecting the code execution environment rules. The userinterface or API may also allow the owner to generate or selectdifferent sets of code execution environment rules for differentowner-submitted codes.

The code execution environment rules may specify one or more privilegesor restrictions associated with one or more code executions to beperformed in response to the I/O request from the requesting user. Forexample, the code execution environment rules may specify a time limiton a duration of the execution of the owner-defined code, a resourcelimit on an amount of computing resources used by the execution of theowner-defined code, or the amount of computing resources to be allocatedto the virtual machine instance on which the owner-defined code is to beexecuted. In some cases, the code execution environment rules mayspecify one or more services that the code execution can access or theparameters or credentials (e.g., the data object owner's credentials orthe requesting user's credentials) needed to access such services (e.g.,logging service, database service, storage service, etc.). In othercases, the code execution environment rules may specify one or moreservices that the code execution cannot access (e.g., to prevent thecode execution from establishing a connection to unsecure resources).

At block 1404, the service 160 receives a request to apply an I/O method(e.g., PUT, GET, LIST, etc.) to specific data stored by the service 160.In some cases, the code execution environment rules are received in therequest to apply the I/O method. In other cases, the code executionenvironment rules are provided separately from this request.

At block 1406, the service 160 causes one or more user codes (e.g.,owner-submitted codes such as data access control code, datamanipulation code, analytics data generation code, etc.) that have beeninserted into the I/O path associated with the request to be executedaccording to the code execution environment rules. For example, the codeexecution may, based on the code execution environment rules, access anexternal logging service and store analytics data associated with thecode execution to the logging service. As another example, the codeexecution may, based on the code execution environment rules, access anexternal permissions database and determine whether the requesting userhas access to the requested data object. As yet another example, thecode execution may, based on the code execution environment rules,refrain from accessing any external resources. At block 1408, theservice 160 applies the requested I/O method to the result of the codeexecution. The routine 1400 then ends at block 1410.

Other Considerations

All of the methods and processes described above may be embodied in, andfully automated via, software code modules executed by one or morecomputers or processors. The code modules may be stored in any type ofnon-transitory computer-readable medium or other computer storagedevice. Some or all of the methods may alternatively be embodied inspecialized computer hardware.

Conditional language such as, among others, “can,” “could,” “might” or“may,” unless specifically stated otherwise, are otherwise understoodwithin the context as used in general to present that certainembodiments include, while other embodiments do not include, certainfeatures, elements or steps. Thus, such conditional language is notgenerally intended to imply that features, elements or steps are in anyway required for one or more embodiments or that one or more embodimentsnecessarily include logic for deciding, with or without user input orprompting, whether these features, elements or steps are included or areto be performed in any particular embodiment.

Disjunctive language such as the phrase “at least one of X, Y, or Z,”unless specifically stated otherwise, is otherwise understood with thecontext as used in general to present that an item, term, etc., may beeither X, Y, or Z, or any combination thereof (e.g., X, Y, or Z). Thus,such disjunctive language is not generally intended to, and should not,imply that certain embodiments require at least one of X, at least oneof Y or at least one of Z to each be present.

Unless otherwise explicitly stated, articles such as ‘a’ or ‘an’ shouldgenerally be interpreted to include one or more described items.Accordingly, phrases such as “a device configured to” are intended toinclude one or more recited devices. Such one or more recited devicescan also be collectively configured to carry out the stated recitations.For example, “a processor configured to carry out recitations A, B, andC” can include a first processor configured to carry out recitation Aworking in conjunction with a second processor configured to carry outrecitations B and C.

The term “or” should generally be understood to be inclusive, ratherthan exclusive. Accordingly, a set containing “a, b, or c” should beconstrued to encompass a set including a combination of a, b, and c.

Any routine descriptions, elements or blocks in the flow diagramsdescribed herein or depicted in the attached figures should beunderstood as potentially representing modules, segments, or portions ofcode which include one or more executable instructions for implementingspecific logical functions or elements in the routine. Alternateimplementations are included within the scope of the embodimentsdescribed herein in which elements or functions may be deleted, orexecuted out of order from that shown or discussed, includingsubstantially synchronously or in reverse order, depending on thefunctionality involved as would be understood by those skilled in theart.

It should be emphasized that many variations and modifications may bemade to the above-described embodiments, the elements of which are to beunderstood as being among other acceptable examples. All suchmodifications and variations are intended to be included herein withinthe scope of this disclosure and protected by the following claims.

What is claimed is:
 1. A system for providing customized access to adata object stored on an object storage service, the system comprising:one or more data stores including: the data object; and informationdesignating a modification to input/output (IO) operations to includeexecution of owner-defined data access control code prior to providingresponses to requests to perform the IO operations; one or moreprocessors configured with computer-executable instructions to: obtainfrom a client device a data request to retrieve the data object, whereinthe data request indicates the data object and a requesting userassociated with the data request; determine metadata based at least onone or both of the data request the data object; implement, on anon-demand code execution system, an execution of the owner-defined dataaccess control code based at least on the determined metadata; obtain,from the execution of the owner-defined data access control code, anindication that the requesting user is allowed to access the dataobject; generate, based at least on the indication obtained from theexecution of the owner-defined data access control code, user-specificoutput data representing a version of the data object accessible by therequesting user; and return to the client device the user-specificoutput data as the data object.
 2. The system of claim 1, whereinimplementing the execution of the owner-defined data access control codecomprises determining that the data request satisfies a temporalrestriction placed on the requesting user's access to the data object,and generating the user-specific output data that includes the dataobject in its entirety.
 3. The system of claim 1, wherein implementingthe execution of the owner-defined data access control code comprisesdetermining that the requesting user has access to a first portion ofthe data object but does not have access to a second portion of the dataobject, and generating the user-specific output data that includes thefirst portion of the data object but not the second portion of the dataobject.
 4. The system of claim 1, wherein implementing the execution ofthe owner-defined data access control code comprises determining thatthe requesting user is associated with a geographical region from whichthe requesting user is allowed to access the data object, and generatingthe user-specific output data that includes the data object in itsentirety.
 5. The system of claim 1, wherein the owner-defined dataaccess control code is configured to access a user access tableindicating, for each respective user of a plurality of users of theobject storage service, one or more portions of the data objectaccessible by the respective user.
 6. A computer-implemented method,comprising: storing a data object and an indication to execute a dataaccess control code in connection with one or more input/output (IO)operations associated with the data object; obtaining from a clientdevice a data request to retrieve the data object, wherein the datarequest indicates the data object and a requesting user associated withthe data request; executing the data access control code based at leaston one or both of data associated with the data request and dataassociated with the data object; obtaining, from the execution of thedata access control code, an indication that the requesting user isallowed to access the data object; generating, based at least on theindication obtained from the execution of the data access control code,user-specific output data; and returning to the client device theuser-specific output data as the data object.
 7. Thecomputer-implemented method of claim 6, further comprising caching theindication such that a subsequent data request to retrieve the dataobject from the client device does not trigger execution of the dataaccess control code.
 8. The computer-implemented method of claim 6,wherein the indication to execute the data access control code indicatesthat the data access control code is to be executed as part of anauthorization path and does not contain a reference to any specific IOpath.
 9. The computer-implemented method of claim 6, wherein thegenerated user-specific output data includes the data object in itsentirety.
 10. The computer-implemented method of claim 6, whereinexecuting the data access control code comprises determining that thedata request satisfies a temporal restriction placed on the requestinguser's access to the data object, and wherein the generateduser-specific output data includes the data object in its entirety. 11.The computer-implemented method of claim 6, wherein executing the dataaccess control code comprises determining that the requesting user hasaccess to a first portion of the data object but does not have access toa second portion of the data object, and wherein the generateduser-specific output data includes the first portion of the data objectbut not the second portion of the data object.
 12. Thecomputer-implemented method of claim 6, wherein executing the dataaccess control code comprises determining that the requesting user isassociated with a geographical region from which the requesting user isallowed to access the data object, and wherein the generateduser-specific output data includes the data object in its entirety. 13.The computer-implemented method of claim 6, further comprising:obtaining the data request via a first portal; determining that datarequests received via the first portal are associated with the dataaccess control code; and executing the data access control code.
 14. Thecomputer-implemented method of claim 13, further comprising: receiving asecond data request from a second client device via a second portaldifferent from the first portal; determining that data requests receivedvia the second portal are not associated with the data access controlcode; and returning to the second client device, in response to thesecond data request, user-specific output data based at least onexecuting a default data access control code and without executing thedata access control code.
 15. A non-transitory computer-readable mediumstoring instructions that, when executed by a computing system, causethe computing system to perform operations comprising: storing a dataobject and an indication to execute a data access control code inconnection with one or more input/output (IO) operations associated withthe data object; obtaining from a client device a data request toretrieve the data object, wherein the data request indicates the dataobject and a requesting user associated with the data request; executingthe data access control code based at least on one or both of dataassociated with the data request and data associated with the dataobject; obtaining, from the execution of the data access control code,an indication that the requesting user is allowed to access the dataobject; generating, based at least on the indication obtained from theexecution of the data access control code, user-specific output data;and returning to the client device the user-specific output data as thedata object.
 16. The non-transitory computer-readable medium of claim15, wherein executing the data access control code comprises determiningthat the data request satisfies a temporal restriction placed on therequesting user's access to the data object.
 17. The non-transitorycomputer-readable medium of claim 15, wherein executing the data accesscontrol code comprises determining that the requesting user has accessto a first portion of the data object but does not have access to asecond portion of the data object, and wherein the generateduser-specific output data includes the first portion of the data objectbut not the second portion of the data object.
 18. The non-transitorycomputer-readable medium of claim 15, wherein executing the data accesscontrol code comprises determining that the requesting user isassociated with a geographical region from which the requesting user isallowed to access the data object.
 19. The non-transitorycomputer-readable medium of claim 15, wherein the operations furthercomprise: obtaining the data request via a first portal; determiningthat data requests received via the first portal are associated with thedata access control code; and executing the data access control code.20. The non-transitory computer-readable medium of claim 19, wherein theoperations further comprise: receiving a second data request from asecond client device via a second portal different from the firstportal; determining that data requests received via the second portalare not associated with the data access control code; and returning tothe second client device user-specific output data without executing thedata access control code in response to the second data request.